Posted: June 15, 2018 Ransomware Description

The Ransomware is a variant of the Xorist Ransomware, a file-locker Trojan with attack features for disabling your media by encrypting it. Infections also include ransom notes in separate text messages, along with additional filename extensions. Let your anti-malware products remove the Ransomware as soon as possible and use appropriate backup-restoration or free decryption strategies for getting your files returned.

The Xorist Ransomware is Back, and Ashamed of Its Name

The easily-configurable, 'construction kit' family of file-locking Trojans is, not surprisingly, experiencing more development of variants by unknown threat actors. The latest version of the Xorist Ransomware, the Ransomware, has its infection vectors traceable back to corrupted WordPress websites, which are dropping it with fake names implying that it's work-related content or invoices. Any users fooled by this simple mislabeling trick may lock most of the files on their workstations when they run the executable.

Although the Ransomware's family has been quiet in 2018 relatively, malware experts also can compare the Trojan to months-apart releases from different threat actors, such as the Xorist-XWZ Ransomware, the Xorist-Frozen Ransomware, the Cryptedx Ransomware and the Blocked2 Ransomware. The file-locking Trojan's attack includes a similar, XOR-based encryption that locks Word, OpenOffice or Adobe's PDF documents, GIF, JPG or BMP pictures, archives, spreadsheets, slideshows and other media. Public tools can reverse this process and decrypt the data, but they do require possessing a non-encrypted copy of at least one encrypted file.

For identifying the Ransomware infections, malware experts also are stressing the Trojan's use of a very unusually long extension on the filenames. It adds a string that consists of nearly an entire ransoming message by itself ('example.gif....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT') without removing the first extension. Another, particularly significant trait in the Ransomware's TXT ransoming note is pretending to be a version of the completely unrelated Cerber Ransomware family, which uses notably secure encryption, relative to the Xorist Ransomware family.

Avoiding the Need for Bitcoin-Bought Data Repairs

Although the images that the Ransomware includes in its payload imply that its configuration may have optional features for either hijacking the desktop's wallpaper or generating pop-up alerts for its victims, these symptoms, usually, occur after the locking of any media. Standard, secure backup strategies, such as using cloud services, always are superior to hoping that the decryption of any modified content is possible or available for free. Malware experts recommend creating copies of any 'locked' media before testing its decryption potential with a third-party tool.

The samples of the Ransomware available to malware experts, so far, also imply that the Trojan's campaign is targeting business networks, although random Web traffic also may experience non-consensual redirects to the associated websites. Links to downloadable executables of this Trojan may arrive via spam e-mails, in the form of links included in the main body of the text. However, it does require consent during the downloading process, unlike similar campaigns abusing advanced drive-by-download techniques, such as those found in the Nebula Exploit Kit. Anti-malware products are removing the Ransomware with overwhelmingly positive detection rates, assuming that the latest threat databases are in use.

The Ransomware lies to the victims of its attacks for collecting Bitcoin ransoms all the more readily. It isn't the only file-locker Trojan to do so, but its recent date shows that, seemingly, the hoax remains profitable against PC users who don't know any better.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.