.zXz File Virus (RanRan) – Decrypt Files and Remove - How to, Technology and PC Security Forum | SensorsTechForum.com

.zXz File Virus (RanRan) – Decrypt Files and Remove

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Article created to help remove the RanRan ransomware infection and decrypt files encrypted by the virus.

A very unique ransomware infection has been detected by malware researchers. The virus also dubbed RanRan encrypts files on the computers it infects, just like most ransomware viruses out there do. However, this virus is more than that – it is also politically motivated malware that aims to get the victim to publicly admit he or she is hacked by creating a subdomain and agree with political terms. These terms are against the leader of Saudi Arabia, King Salman bin Abdulaziz Al Saud. Despite this, the virus has also been detected to infect in the Philippines, besides Saudi Arabia, which means it may further spread onto multiple different locations. In case your system has been infected by RanRan ransomware using the .zXz file extension, we advise you to read the following article.

Threat Summary

Name.zXz RanRan
TypeRansomware, Cryptovirus
Short DescriptionThe RanRan ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsSage ransomware encrypts the files and adds the .zXz file extension. A ransom note is dropped on the desktop with politically-motivated requests..
Distribution MethodSpam Emails, Email Attachments, malicious .xls files, .htm Files, .js files, .ZIP archives
Detection Tool See If Your System Has Been Affected by .zXz RanRan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .zXz RanRan.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RanRan Ransomware – How Does It Infect

For the infection of this virus, the cyber-criminals behind it may have used malicious files that are uploaded on spammed e-mail messages. These messages are sent to a pre-programmed list of e-mail addresses of potential victims. The e-mails may contain different information, like the name of your account and other data to increase legitimacy. They may also pretend to be different types, for example an e-mail pretending to be suspicious activity on the PayPal account of the victim, provided there is one.

Once a misled victim opens the malicious file attachment, this ransomware infection checks for a specific mutex and if this mutex, also reported as Services 1.0 is present, the virus will stop the infection.

RanRan .zXz Virus – Further Analysis

Once an infection by RanRan ransomware is commenced, the virus dropps a file, named services.exe in the C:\ (System Drive) folder. Once this file has been dropped onto the victim PC, the virus reportedly modifies the Run and RunOnce registry keys to run the services.exe file on system boot. The sub-keys are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

After this has been done, the virus creates multiple different files on the computer and runs the encryption.

RanRan .zXz Virus – Encryption Process

For the encryption of the files, the RanRan ransomware infection looks for multiple types of files on the computers it has infected. Most of those files are usually often used and important documents and other content:

→ .mdf .ldf .edb .pst .ost .doc .docx .pdf .xls .xlsx .ppt .pps .pptx .ppsx .accdb .mdb .zip .rar .txt .jpg .bad .epf .bdp .efp .vsd .mpp .xlt .cmd .lic .me .xlsm .war .bdr .stm .sdb .psd .eml .vdw .vdx .tar .csv .max .png .ai .dwg .dxf .7z .c .cpp .bak .ese .ashx .asmx .soap .svc .bkf .issue .sql .fmb .olb .java .webm .mkv .flv .dbf .mtb .asp .aspx .sln .cs .jar .bmp .iso .resx .exe .tar .dat .rtf .img .gz .vmdk .log .ace .kdbx .rdp .psc .bat .cfg .rmvb .3gp .swf .ipdb .db .cmsc .kmz .edx

But the virus does not just get to the encryption of the files. Before this happens, it stops processes of Databases in order to ensure successful encryption. The processes which this ransomware ends are the following:

→ MSSQLSERVER SQLWriter MSSQL$CONTOSO1 SQLServerAgent MSSQL$SQLEXPRESS Microsoft Exchange Information Store OracleASMService+ASM OracleCSService OracleServiceORCL OracleOraDb10g_home1TNSListener usermanager outlook exchange sql

The encryption of the .zXz ransomware is very innovative, but not undefeated. The ransomware uses different encryption procedure for files with different file sizes. For example, if it encrypts files up to 5 MB it will use one set of encryption keys which it generates. But if it encrypts files more than 3 GB, it will proceed with a completely different decryption key being generated.

After encryption, the RanRan virus adds the .zXz file extension to the files which are rendered no longer able to be opened by it. They may appear like the following:

After the encryption process is complete, the .zXz file virus also drops a ransom note with the following message:

Welcome to my Ransomare!
Cannot you find the files youneed?
Is the content of the files that you have watched not readable?
I want to play a game with you. Let me explain the rules:
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret internet server and nobody can decrypt your files until you pay and obtain the private key.
But, don’t worry!
It is normal because the files names, as well as the data in your files have been encrypted.
Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.
In order to have relationship with us, and pay the ransom; must go the following steps.
1. Launch a subdomain named:
2. Make a txt file named:
Ransomware.txt including
“Your email address”
We will text you ASAP.”

Unlike other ransomware viruses, this one extorts users to register to a political website, which means that it is one of the few ransomware viruses with a hacktivist element in them.

Fortunately the virus is decryptable, thanks to Palo Alto malware researchers. Keep reading this article to learn how to properly get your files back for free if you have become a victim of this virus.

Remove RanRan .zXz Ransomware and Decrypt Files

Before proceeding with any removal of the RanRan ransomware, recommendations are to back up the .zXz files on another drive, just in case.

Then, we recommend following the instructions from the removal accordion below. They are specifically designed to assist with the full removal of the RanRan ransomware virus from the affected computer. For maximum effectiveness and thoroughness during removal, malware researchers often recommend downloading an advanced anti-malware program which will automatically take care of .zXz ransomware’s virus files on your computer.

After you have removed the RanRan virus, you should follow the instructions on the decryptors’s web page, created by experts at PaloAlto to get the encrypted files back:

PaloAlto Public_Tools RanRan Decryption


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share