XeroWare Ransomware

The XeroWare Ransomware is a file-locking Trojan that uses code from Hidden Tear for encrypting your media. Attacks by this threat also provide ransoming messages and claim that it can delete your files, although such features aren't standard aspects of HT, and malware experts have yet to confirm their addition here. Many anti-malware products identify variants of Hidden Tear without any issues and should remove the XeroWare Ransomware instantly, but having a secure backup is recommended for saving your files from all non-consensual encryption attempts.

A Zero of a Trojan is Starting Out at 1.2

A new build of Hidden Tear, the XeroWare Ransomware, is just becoming identifiable in early July. The only update that malware experts are detecting in this variant of Utku Sen's freeware project is, as usual, the new ransoming message, which redirects any cryptocurrency payments to the new threat actors. However, the XeroWare Ransomware also maintains the occasionally-seen tradition of file-locker Trojans who lie about their attack capabilities and potential dangers.

The XeroWare Ransomware is a Windows-based program whose executable is under two hundred kilobytes, making it relatively easy to distribute and bundle with other downloads. The version '1.2' is the first sample that malware experts are identifying of this threat, which uses Hidden Tear's AES-based encryption routine, and, accordingly, can 'lock' different files, such as MP3s, Word DOCs, JPGs, GIFs and others. Microsoft Office-associated media is highly vulnerable due to being included in most variants of the Hidden Tear filter list and the lists of similar Trojan families.

The XeroWare Ransomware appends '.XERO' extensions onto the above files (using a format such as 'example.gif.XERO') and, also, creates a Notepad TXT file on the user's desktop. The note is one that malware analysts aren't connecting with any similar, file-locker Trojan attacks, and may be unique to this threat. Besides a four-day timer on the ransom for the threat actor's unlocking help, this message also claims that the Trojan will delete the files 'if you try anything.' Such a data-deleting feature, while reminiscent of some families, such as the Jigsaw Ransomware, is not a default function of Hidden Tear, and the reference here is an apparent bluff.

Making the XeroWare Ransomware's Name Fits Its Profit Margins

Even victims who pay the Bitcoin fee that the XeroWare Ransomware requests within the four-day limit may not receive any form of decryption help from the threat actor, who can accept and spend the cryptocurrency at will. Hidden Tear's family, which includes recent threats like the Boris HT Ransomware and the KwaakLocked Ransomware, along with much older ones, such as the DevNightmare Ransomware and the Hollycrypt Ransomware, frequently are compatible with free decryption programs. The victims can test copies of their encrypted media with these decryptors or recover them through safe backups on other devices, which malware experts recommend as being the best solution.

As a clone of Hidden Tear, the XeroWare Ransomware is functional entirely, but malware researchers have insufficient evidence for any conclusions on how its gaining access to Windows PCs. These attacks could come from spam e-mail attachments, brute-force hacks of login credentials or mislabeled downloads (especially for pirated media). However, Hidden Tear's family has a minimum of code obfuscation or other defenses, and many anti-malware programs can delete the XeroWare Ransomware automatically, like the previous variants of its family.

Without a definite price on its ransom demands and a fake deletion feature, the XeroWare Ransomware may seem like a questionable danger to your computer. However, any version of Hidden Tear, no matter how trivial, can turn your files into wastelands of unrecoverable data.