A new ransomware virus spreads through the Remote Desktop Protocol (RDP) found on many computer systems. Its real name is Xpan, but many victims and some researchers refer to it as TeamXRat ransomware. The name TeamXRat comes from the cybercriminals who developed the ransomware and left their name in the ransom note as signature. The extension .___xratteamLucked is appended to files which get encrypted.
The ransomware originates from Brazil, but residents of other countries may get infected as well. To remove the virus and see how you can decrypt your files, read this article carefully.
|Short Description||The ransomware distributes by exploiting weak passwords in the Remote Desktop Protocol (RDP). From there is loads the Xpan Trojan horse and infects the files on a compromised PC.|
|Symptoms||The virus will append the .___xratteamLucked extension to the files, which it encrypts.|
|Distribution Method||Targeted Attacks, Remote Desktop Protocol (RDP)|
|Detection Tool|| See If Your System Has Been Affected by TeamXrat |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss TeamXrat.|
TeamXRat Virus – Infection
The TeamXRat virus is unique in the way it infects compared to other ransomware viruses. It utilizes targeted attacks, by brutе forcing servers via the Remote Desktop Protocol (RDP). The Windows Operating System has a Remote Desktop Connection implemented in it and it may be turned on by default. Other operating systems also have an equivalent program running the same protocol, which makes it viable for a hacker attack. Once a weak password is cracked with the brute-forcing method, it is immediately exploited. The Xpan ransomware Trojan is being installed after the hackers manually set off the Anti-virus software found on the server they have entered.
However, it is not excluded for the TeamXRat virus to be spread in other ways. Some of these ways include malicious spam e-mail campaigns or using networks like social media or file-sharing services. On there a malicious file containing the payload of the malware could be placed. If you interact with it, especially by executing it, your whole computer machine will get encrypted. Before opening files with an unknown origin, perform checks on them for their signatures, size, and also scan them with a security tool. You should see more tips for ransomware prevention in our forum thread.
TeamXRat Virus – Information
The Xpan Trojan virus is what many people have dubbed TeamXRat. That is largely due to the fact that this ransomware had the signature TeamXRat in its ransom note and on the wallpaper it sets after file encryption. The ransomware is developed by the Brazilian criminals identifying themselves as TeamXRat or CorporacaoXRat (CorporationXRat). Although the virus originates from Brazil and most compromised computers are in Brazil, people from other countries have also fallen victim to this cyber threat.
The cybercriminals TeamXRat have developed other ransomware before, which is known as the Xrat ransomware (Xorist). They have improved their newest ransomware with a stronger encryption algorithm.
The ransomware uses creates the following sub-key in the Windows Registry:
After that the following Registry entries are created in the above mentioned sub-key:
→HKEY_CLASSES_ROOT\.____xratteamLucked\”Default” = “Criptografado!!”
→HKEY_CLASSES_ROOT\.____xratteamLucked\DefaultIcon\”Default” = “%SystemDrive%\System32\shell32.dll,47”
→HKEY_CLASSES_ROOT\.____xratteamLucked\shell\open\command\”Default” = “[DOS SCRIPT]”
From the registry entries above, a script will be initiated to start from a .DLL file. On top of it all, the following processes (marked with .exe) and services will be stopped by the ransomware:
In the end, the following file with the payment instructions is created:
→[PATH OF ENCRYPTED FILES]\Como descriptografar os seus arquivos.txt
The file is written in Brazillian Portuguese and looks like this:
Another change you might notice is that your desktop wallpaper will be changed with this picture:
They write about the encryption algorithm which is used, demand one Bitcoin for payment and the e-mail addess xRatTeam@mail2tor.com is given for you to contact the cyber crooks.
Do not even think of paying the malware makers as nobody can guarantee you will get your files back after successful payment. The money will undeniably be used for financially supporting further criminal activity, like the development of a new ransomware or even worse.
All encrypted files will have the extension .___xratteamLucked or .____xratteamLucked appended to them. The ransomware uses a 255 character password and the RSA 2048-bit encryption algorithm with 256-bit AES ciphers to encrypt files. Usually we list the file types, which are encrypted by such a cryptovirus, but this time you can see the file types which are not encrypted, because they are added into an exception list:
→.exe .dll .lnk .bat .ini .msi .scf
Here is a full list containing all file paths that are excluded from encryption:
The TeamXRat ransomware is very likely to delete the Shadow Volume Copies found on your Windows operating system. After encryption the ransomware deletes some of the files it originates from, including the payload file. Continue reading and down below you will see how to remove the virus completely and what you can try to decrypt your files.