XiaoBa Ransomware

Posted: October 30, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	166

First Seen:	October 30, 2017
Last Seen:	May 2, 2022
OS(es) Affected:	Windows

The XiaoBa Ransomware is a Chinese Trojan that locks the files of your PC with a combination of the AES and RSA encryptions. At the same time, the Trojan also may display pop-ups asking for ransoms, change cosmetic features like the Windows wallpaper, or disable some security and data storage features. Many anti-malware programs should eliminate the XiaoBa Ransomware safely from your computer, and malware experts particularly recommend doing so preemptively since this threat may cause irreparable data loss.

A Tour of Asia's Next File-Ransoming Problem

Trojans with features for harming data, withholding it from its owner, or turning it into profit by various methods, are a universal security issue for virtually any PC user on any prominent operating system. The XiaoBa Ransomware is a late sample for October showing that China is just as vulnerable as regions like Brazil or North America, although its language settings suggest that the author may not be Chinese, himself necessarily. Flaws in its file-locking feature appear to be limited, and malware experts warn that any content that the XiaoBa Ransomware blocks may be left in an unusable state indefinitely.

The XiaoBa Ransomware's payload includes some currency conversion errors and, unlike most Chinese-based threats, uses Traditional Chinese settings, instead of Simplified Chinese. These discrepancies are standouts from the rest of the XiaoBa Ransomware's features, which include more standard attacks, such as:

The XiaoBa Ransomware blocks various formats of data on the PC, such as text documents or images, by encoding them with an AES-128 algorithm. It also prevents the victim from retrieving the code with a second, RSA-2048 one. While it locks your files, the XiaoBa Ransomware adds an extensible name tag that includes a number (of up to 34) and the '.XiaoBa' string. 'XiaoBa' translates roughly to 'minibus.'
The XiaoBa Ransomware also suppresses boot-up error messages while installing itself, which can prevent Windows from alerting the user of the infection.
The Trojan also will erase any local, Shadow Copy-based backups for the media that it blocks, thereby removing a default recovery solution for victims in need of restoring the locked content.
Malware experts also are seeing different formats of ransom notes on display through the XiaoBa Ransomware, including advanced Web pages, separate pop-ups, and a BMP image that the XiaoBa Ransomware adds to the desktop's background.

The XiaoBa Ransomware asks for Bitcoins to give the victims a decryption key to unlock their media. Since the Trojan's messages provide erroneous currency data, the exact quantity of the ransom remains questionable, although malware experts recommend that you not pay, regardless.

Stepping Off the Bus to Bitcoin Poverty

Like the LockLock Ransomware and other, Chinese-based threats, the XiaoBa Ransomware seems to be conducting a campaign not targeted at victims carefully, such as corporate entities, who would be willing to make high payouts to recover entire servers' worth of data. Casual PC users are more likely of being at risk from this threat, which may damage documents, audio, spreadsheets, pictures, and other, common-use formats of files broadly. Keeping additional backups on drives that the XiaoBa Ransomware is incapable of damaging is the primary, recommended procedure for reducing this Trojan's danger levels to any local media.

The XiaoBa Ransomware may compromise a PC by pretending to be a safe attachment on an e-mail message, circulate as a fake, pirated download for a product (such as a triple-A video game) or take advantage of the help of other threats such as another threat actor's exploit kits. Having your anti-malware products scanning new downloads to remove the XiaoBa Ransomware immediately, deactivating unsafe content like macros or JavaScript, and avoiding risky sites can mitigate most forms of exposure to file-locking Trojans.

The XiaoBa Ransomware's foibles don't include any definite issues with its data-locking feature, which uses a traditional, secure cryptography strategy. Whether or not the XiaoBa Ransomware ever smooths out its ransom rates or communication issues, it can be a real and long-term problem for most files types that users would be likely of saving on their computers.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\XiaoBa