Xmail@cock.li Ransomware

The Xmail@cock.li Ransomware is a file-locking Trojan of the Scarab Ransomware family, which conducts AES-based encryption attacks against various forms of digital media, such as documents. Victims of a successful infection should test the compatibility of free decryption tools on copies of any 'locked' files for recovering them or, ideally, restore from a backup. In most circumstances, a traditional anti-malware application should uninstall the Xmail@cock.li Ransomware or delete its initial installer without issue.

The Hidden Mark of Another Threat Actor's File-Ransoming Crimes

In spite of its being a year-old family, the Scarab Ransomware remains popular enough with various threat actors that malware researchers continue noting new releases and minor variations of the file-locking Trojan. Both old versions, such as the Scorpio Ransomware or the Scarabey Ransomware, as well as recent ones like the Scarab-XTBL Ransomware, the Scarab-Horsuke Ransomware, and the Xmail@cock.li Ransomware include features sufficient for locking many types of data on a PC permanently. The the Xmail@cock.li Ransomware version, which is the most recent, to date, also continues the usual tradition of lying to its victims.

The Xmail@cock.li Ransomware uses the AES encryption on different formats of media without creating a user interface or other, detectable symptoms during its attack, which can include files ranging from Word documents to JPG pictures, as well as others. One distinction between the Xmail@cock.li Ransomware and other members of the Scarab Ransomware's family is how it implements its 'file marker,' or, an internal data string that 'marks' different media types as being captive. It inserts this extra element in addition to the encryption, which may be the threat actors' trying to prevent current decryption software from helping the victims' retrieve their digital belongings.

Equally notable are the 'TXT' format ransoming instructions that the Xmail@cock.li Ransomware creates, which use a template that malware experts also link to old versions of the Scarab Ransomware. Besides changing some of the communication credentials for negotiations, there are no noteworthy alterations, but the Xmail@cock.li Ransomware does continue issuing misleading statements implying that its encryption routine uses unbreakable RSA ciphers.

Preserving Your Files against Getting 'X'ed Out

The Xmail@cock.li Ransomware includes all of the risks of threats like the Scarab-Osk Ransomware, the Scarab-Oblivion Ransomware, and other, threat actor-specific updates of the Scarab Ransomware family: blocking files until the victims pay the ransom and, then, potentially refusing to provide the decryption software that they're paying for downloading. Users without any backups for a simple, non-decryption-based restoration should contact members of the anti-malware industry with histories of analyzing threats of this category for testing the compatibility of all free, publicly-available decryptors.

The criminals who are using personal variants of file-locking Trojans' families may imply specific distribution strategies similarly, but some methods are more archetypal than others. Brute-forcing the users' login combinations and delivering disguised e-mail spam attacks are two of the techniques that malware analysts see in high occurrence, although others are possible. Unless the threat actor drops the threat via remote, backdoor access to your PC, manually your anti-malware programs should detect and delete the Xmail@cock.li Ransomware immediately.

The relatively small tweak to the Xmail@cock.li Ransomware's file-locking feature isn't significant on a technical level, but on a strategic one, shows how beneath-the-hood changes could affect a data-recovering solution. PC users uninterested in dealing with such stumbling blocks have all the more reason to make a backup and update it daily.