Cyber-criminals behind the e-mail [email protected] have begun to demand 2 BTC from users via a ransomware virus that is dubbed “!XTPLOCK5.0” based on it’s ransom note string. Malware researchers, like Michael Gillepsie believe that this ransomware virus is an instance of the notorious DMALocker ransomware virus. After encryption !XTPLOCK5.0 leaves behind a ransom note in the form of a .txt file named “cryptinfo.txt”. This ransom note aims to “motivate” affected users to pay the ransom amount of 2 BTC (at present times around 1300 USD) in order to get the files back. Anyone who is infected by this ransomware virus should not pay the ransom under any circumstances, because it not only supports the cyber-criminals but is also not a guarantee that you will get your files back. Instead, we recommend following the information in this article to remove the !XTPLOCK5.0 threat completely and try alternative solutions to restore your files until malware researchers come up with a solution, which we will post on this page.
|Short Description||A cryptovirus encrypting files on the compromised computer and then demanding a ransom payment of 2 BTC to decrypt them.|
|Symptoms||The !XTPLOCK5.0 ransomware will encrypt all files with strong encryption after which leave a “cryptinfo.txt” file.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by !XTPLOCK5.0 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss !XTPLOCK5.0.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
!XTPLOCK5.0 – How Is It Distributed
Similar to DMALocker the !XTPLOCK5.0 malware may also spread via malicious third-party web links that may be advertised by third-party applications of an adware character on an affected computer. The virus might also be distributed via malicious e-mail attachments as well as malicious web links posted online. Messages of a spamming character may look like reputable messages from well-known services, like LinkedIn, Facebook, banking or government institutions. The e-mail attachments may contain several different details in them like convincing messages, fake buttons that lead to suspicious web links and may cause browser redirects and others. This is why it is strongly advisable to use external mail services with spam blockers, like Microsoft Outlook, Thunderbird or others.
!XTPLOCK5.0 – More Information
The ransomware one name for which is !XTPLOCK5.0 is believed to create the following files upon infection:
After having created those files, the virus may create a custom registry entry for the malicious executable file to run on Windows boot and begin encrypting files straight away. The targeted key for this is:
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”cssys” = “%User’sProfile%\ntserver.exe”