XRTN is a ransomware virus reported by researchers to belong to the VaultCrypt family of ransomware viruses. It uses the same .xrtn file extension which it adds on the encrypted files after it has successfully encrypted them via the RSA-1024 encryption algorithm. In addition to this algorithm, the ransomware uses other mechanisms which sophisticate the brute force decryption, making it even more impossible. Despite the fact that the creators of XRTN ransomware do not say what amount is requested as a payoff to decrypt the files, users believe it is in the range of 1 – 5 BitCoins. It is strongly advisable not to pay any ransom money to the cyber-criminals because there is no full guarantee the files will be restored and you help their cyber-crime syndicate further spread this ransomware virus. We recommend removing the ransomware and attempting to restore your files using alternative file-restoration methods such as the ones in this article.
|Short Description||The ransomware encrypts files with the RSA 1024 cipher and asks to contact cyber-criminals for decryption.|
|Symptoms||Files are encrypted and become inaccessible with a .xrtn extension added. A ransom note with instructions is added as a wallpaper asking to contact firstname.lastname@example.org e-mail.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by XRTN |
Malware Removal Tool
|User Experience||Join our forum to Discuss XRTN Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
XRTN Ransomware – Distribution Ways
From this host, a malicious file, that may carry the name “GnuPG.exe” may be downloaded onto the victim’s computer. The file may contain the so-called obfuscators to make it run while being concealed from standard antivirus programs.
How Does XRTN Ransomware Work
After the malicious executable has been dropped, the following files are reported by malware researchers to be created on the infected device’s %Temp% folder:
Source: Infected Users
In addition to those, files XRTN is reported to be associated with other malicious files in the %AppData% directory:
XRTN Crypto-virus is also reported to create a “Run” type of registry entries – something rather typical for such a virus. The key aims to run an .hta type of file when Windows starts, pointing out to this file being the same encryptor used with VaultCrypt ransomware:
Most of the files created by XRTN ransomware contain alpha numerical identifications, suggesting their filenames may be automatically generated with each infection.
Once stealthily activated on the computer, XRTN begins to look for the following types of documents, photos and others to encrypt them:
The encrypted files are appended the .xrtn file extension, for example:
Regarding encryption, XRTN Ransom virus uses a very strong RSA-1024 encryption algorithm. Also, it uses the so-called GNU Privacy Guard which as its exit code. Finally after encryption, the XRTN.key file containing the decryption information is created either in %TEMP% or %APPDATA% folders.
The ransomware changes the wallpaper of the user with ransom payoff instructions, which are the following:
Remove XRTN Ransomware and Try to Revert The Files
XRTN Ransomware is most likely believed to be a virus which is “assembled” from other ransom-demanding cyber threats, like VaultCrypt. So far direct decryption of its files is impossible, but we will update this article as soon as one is released. Until then DO NOT pay the ransom and try to use alternative methods to restore your files, like the suggestions in step “3. Restore files encrypted by XRTN” below after removing the ransomware. For the removal of XRTN, it is also recommended to use an advanced anti-malware program, because the XRTN virus may create randomly named files in different Windows directories and an automatic approach may be more appropriate.