Repair_data@cryptmail.com Ransomware

The Repair_data@cryptmail.com Ransomware is a variant of the Xorist Ransomware, a file-locker Trojan with attack features for disabling your media by encrypting it. Infections also include ransom notes in separate text messages, along with additional filename extensions. Let your anti-malware products remove the Repair_data@cryptmail.com Ransomware as soon as possible and use appropriate backup-restoration or free decryption strategies for getting your files returned.

The Xorist Ransomware is Back, and Ashamed of Its Name

The easily-configurable, 'construction kit' family of file-locking Trojans is, not surprisingly, experiencing more development of variants by unknown threat actors. The latest version of the Xorist Ransomware, the Repair_data@cryptmail.com Ransomware, has its infection vectors traceable back to corrupted WordPress websites, which are dropping it with fake names implying that it's work-related content or invoices. Any users fooled by this simple mislabeling trick may lock most of the files on their workstations when they run the executable.

Although the Repair_data@cryptmail.com Ransomware's family has been quiet in 2018 relatively, malware experts also can compare the Trojan to months-apart releases from different threat actors, such as the Xorist-XWZ Ransomware, the Xorist-Frozen Ransomware, the Cryptedx Ransomware and the Blocked2 Ransomware. The file-locking Trojan's attack includes a similar, XOR-based encryption that locks Word, OpenOffice or Adobe's PDF documents, GIF, JPG or BMP pictures, archives, spreadsheets, slideshows and other media. Public tools can reverse this process and decrypt the data, but they do require possessing a non-encrypted copy of at least one encrypted file.

For identifying the Repair_data@cryptmail.com Ransomware infections, malware experts also are stressing the Trojan's use of a very unusually long extension on the filenames. It adds a string that consists of nearly an entire ransoming message by itself ('example.gif....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT') without removing the first extension. Another, particularly significant trait in the Repair_data@cryptmail.com Ransomware's TXT ransoming note is pretending to be a version of the completely unrelated Cerber Ransomware family, which uses notably secure encryption, relative to the Xorist Ransomware family.

Avoiding the Need for Bitcoin-Bought Data Repairs

Although the images that the Repair_data@cryptmail.com Ransomware includes in its payload imply that its configuration may have optional features for either hijacking the desktop's wallpaper or generating pop-up alerts for its victims, these symptoms, usually, occur after the locking of any media. Standard, secure backup strategies, such as using cloud services, always are superior to hoping that the decryption of any modified content is possible or available for free. Malware experts recommend creating copies of any 'locked' media before testing its decryption potential with a third-party tool.

The samples of the Repair_data@cryptmail.com Ransomware available to malware experts, so far, also imply that the Trojan's campaign is targeting business networks, although random Web traffic also may experience non-consensual redirects to the associated websites. Links to downloadable executables of this Trojan may arrive via spam e-mails, in the form of links included in the main body of the text. However, it does require consent during the downloading process, unlike similar campaigns abusing advanced drive-by-download techniques, such as those found in the Nebula Exploit Kit. Anti-malware products are removing the Repair_data@cryptmail.com Ransomware with overwhelmingly positive detection rates, assuming that the latest threat databases are in use.

The Repair_data@cryptmail.com Ransomware lies to the victims of its attacks for collecting Bitcoin ransoms all the more readily. It isn't the only file-locker Trojan to do so, but its recent date shows that, seemingly, the hoax remains profitable against PC users who don't know any better.