TeamXrat Virus (Xpan) – Remove and Decrypt .___xratteamLucked Files - How to, Technology and PC Security Forum |

TeamXrat Virus (Xpan) – Remove and Decrypt .___xratteamLucked Files


A new ransomware virus spreads through the Remote Desktop Protocol (RDP) found on many computer systems. Its real name is Xpan, but many victims and some researchers refer to it as TeamXRat ransomware. The name TeamXRat comes from the cybercriminals who developed the ransomware and left their name in the ransom note as signature. The extension .___xratteamLucked is appended to files which get encrypted.

The ransomware originates from Brazil, but residents of other countries may get infected as well. To remove the virus and see how you can decrypt your files, read this article carefully.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware distributes by exploiting weak passwords in the Remote Desktop Protocol (RDP). From there is loads the Xpan Trojan horse and infects the files on a compromised PC.
SymptomsThe virus will append the .___xratteamLucked extension to the files, which it encrypts.
Distribution MethodTargeted Attacks, Remote Desktop Protocol (RDP)
Detection Tool See If Your System Has Been Affected by TeamXrat


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss TeamXrat.

TeamXRat Virus – Infection

The TeamXRat virus is unique in the way it infects compared to other ransomware viruses. It utilizes targeted attacks, by brutе forcing servers via the Remote Desktop Protocol (RDP). The Windows Operating System has a Remote Desktop Connection implemented in it and it may be turned on by default. Other operating systems also have an equivalent program running the same protocol, which makes it viable for a hacker attack. Once a weak password is cracked with the brute-forcing method, it is immediately exploited. The Xpan ransomware Trojan is being installed after the hackers manually set off the Anti-virus software found on the server they have entered.

However, it is not excluded for the TeamXRat virus to be spread in other ways. Some of these ways include malicious spam e-mail campaigns or using networks like social media or file-sharing services. On there a malicious file containing the payload of the malware could be placed. If you interact with it, especially by executing it, your whole computer machine will get encrypted. Before opening files with an unknown origin, perform checks on them for their signatures, size, and also scan them with a security tool. You should see more tips for ransomware prevention in our forum thread.

TeamXRat Virus – Information

The Xpan Trojan virus is what many people have dubbed TeamXRat. That is largely due to the fact that this ransomware had the signature TeamXRat in its ransom note and on the wallpaper it sets after file encryption. The ransomware is developed by the Brazilian criminals identifying themselves as TeamXRat or CorporacaoXRat (CorporationXRat). Although the virus originates from Brazil and most compromised computers are in Brazil, people from other countries have also fallen victim to this cyber threat.

The cybercriminals TeamXRat have developed other ransomware before, which is known as the Xrat ransomware (Xorist). They have improved their newest ransomware with a stronger encryption algorithm.

The ransomware uses creates the following sub-key in the Windows Registry:


After that the following Registry entries are created in the above mentioned sub-key:

→HKEY_CLASSES_ROOT\.____xratteamLucked\”Default” = “Criptografado!!”

→HKEY_CLASSES_ROOT\.____xratteamLucked\DefaultIcon\”Default” = “%SystemDrive%\System32\shell32.dll,47”

→HKEY_CLASSES_ROOT\.____xratteamLucked\shell\open\command\”Default” = “[DOS SCRIPT]”

From the registry entries above, a script will be initiated to start from a .DLL file. On top of it all, the following processes (marked with .exe) and services will be stopped by the ransomware:

  • fb_inet_server.exe
  • pg_ctl.exe
  • sqlservr.exe
  • postgresql-9.0
  • FirebirdServerDefaultInstance

In the end, the following file with the payment instructions is created:

→[PATH OF ENCRYPTED FILES]\Como descriptografar os seus arquivos.txt

The file is written in Brazillian Portuguese and looks like this:


Another change you might notice is that your desktop wallpaper will be changed with this picture:


They write about the encryption algorithm which is used, demand one Bitcoin for payment and the e-mail addess is given for you to contact the cyber crooks.

Do not even think of paying the malware makers as nobody can guarantee you will get your files back after successful payment. The money will undeniably be used for financially supporting further criminal activity, like the development of a new ransomware or even worse.

All encrypted files will have the extension .___xratteamLucked or .____xratteamLucked appended to them. The ransomware uses a 255 character password and the RSA 2048-bit encryption algorithm with 256-bit AES ciphers to encrypt files. Usually we list the file types, which are encrypted by such a cryptovirus, but this time you can see the file types which are not encrypted, because they are added into an exception list:

→.exe .dll .lnk .bat .ini .msi .scf

Here is a full list containing all file paths that are excluded from encryption:

File Path Strings Exlusions List

\DVD Maker\
\Microsoft Games\
\Reference Assemblies\
\Windows Defender\
\Windows Journal\
\Windows Mail\
\Windows Media Player\
\Windows NT\
\Windows Photo Viewer\
\Windows Sidebar\
\Common Files\
\Internet Explorer\
\Common Files\
\AVAST Software\
\Cobian Backup
\K-Lite Codec Pack\
\Microsoft SDKs\
\Microsoft Silverlight\
\Microsoft SQL Server Compact Edition\
\Microsoft Visual Studio\

The TeamXRat ransomware is very likely to delete the Shadow Volume Copies found on your Windows operating system. After encryption the ransomware deletes some of the files it originates from, including the payload file. Continue reading and down below you will see how to remove the virus completely and what you can try to decrypt your files.

Remove TeamXRat Virus and Restore .___xratteamLucked Files

If your computer got infected with the TeamXRat ransomware cryptovirus, you should have some experience in removing malware. You should get rid of this ransomware as quick as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions manual given below. Check out ways in which you can try to recover your files by seeing the step titled 2. Restore files encrypted by TeamXRat or wait to see if there is an official decrypter released.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share