Home Malware Programs Ransomware Xorist Ransomware

Xorist Ransomware

Posted: April 13, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 105
First Seen: April 13, 2016
Last Seen: September 15, 2020
OS(es) Affected: Windows

The Xorist Ransomware is a file encryptor based on a kit-builder model that a variety of third-party con artists can use. Because individual builds of the Xorist Ransomware can differ from each other in various details, including which files they encrypt, you should use your anti-malware tools for confirming the presence of this threat and, if needed, removing the Xorist Ransomware. In spite of its semi-flexible attributes, the Xorist Ransomware has no defense against the usual data protection strategies suggested by malware experts such as USB backups.

A File Ransom Launched by a Thousand Would-Be Ransomers

Not all con artists are interested in building and deploying specialized threats. Others prefer to cater to the numerous, would-be fraudsters who lack any coding talent, but still wish to take advantage of threatening software, such as file encryptors and desktop lockers. As just one example, malware researchers can point towards the particularly recent campaign of the Xorist Ransomware, which builds itself through a simple kit. The use of this kit requires no investment other than paying the original team for the privilege, but can generate a new threat that differs drastically from other versions of the Xorist Ransomware.

The Xorist Ransomware operates on a fundamentally similar level to other, primitive file encryptors. The Xorist Ransomware targets files of particular formats, encrypts them (an algorithm-based data modification that makes the file nonfunctional), and then displays a ransom message to its victims, who are asked to pay a fee before getting their data back. Malware researchers found no other, advanced features among the Xorist Ransomware's payloads, such as the file-deleting feature infamously included in the Jigsaw Ransomware.

Examples of features that the Xorist Ransomware's builder UI may let con artists modify include:

  • The Xorist Ransomware may target different file types, such as MP3, TXT, XLS or DOC.
  • Your desktop may lock itself to an unusual image (in most cases, a ransom note).
  • The Xorist Ransomware may drop customizable text files including additional instructions in pertinent directories.
  • The Xorist Ransomware may use one of two distinct encryption formats, either XOR or TEA.
  • Encrypted files may use an arbitrary extension, such as '.p5tkjw.' The string choice doesn't have a direct relationship with the type of encryption, although it does help victims to identify which files fall under the Xorist Ransomware's target parameters.

Regardless of the build of the Xorist Ransomware in use, the principle of each infection remains constant: con artists coerce PC owners into paying to regain the data they already own.

Being the Exorcist to the Xorist Ransomware Attacks

Most of the Xorist Ransomware's mutable qualities only serve to enhance the difficulty of identifying individual infections as being part of this threat's family. However, others, such as selecting which files to encrypt, have a very real impact on how the Xorist Ransomware damages your PC and the information on it. Most attacks falling into this classification type are easily manageable by PC users who back their files up on a regular basis and make good use of available resources, such as USB storage and cloud servers. However, other researchers in the PC security industry already are experiencing breakthroughs in decrypting files freely for those who lack any alternatives.

the Xorist Ransomware's kit does not include a built-in distribution method. Criminals are expected to provide personal installation strategies, which prevents our malware analysts from perfectly predicting the Xorist Ransomware's delivery methods. PC owners who block in-browser scripts, update their software and scan questionable file attachments are at minimal risk from most malware-delivering exploits. In cases where this threat succeeds in installing itself, always remove the Xorist Ransomware with an anti-malware tool before you recover your encrypted files.

Update January 7th, 2019 — BooM Ransomware

The BooM Ransomware is a low-quality file-locker that may cause some trouble because its author has implemented a very basic, but working file-encryption algorithm. According to cybersecurity researchers, the BooM Ransomware is part of the Xorist Ransomware family – a series of file-lockers that use an encryption routine that may often be deciphered easily. Thankfully, this is the case with the BooM Ransomware, and malware researchers have already managed to develop a free decryption technique.

The authors of the BooM Ransomware certainly do not appear to be too clever, because they have included their real name and the Facebook profile in the ransom note that this file-locker drops on the victim’s computer. When the BooM Ransomware executes its attack, it will encrypt the contents of commonly used file formats, and then add the ‘.Boom’ extension to the end of their names. In addition to this, it displays a new program window that contains a copy of the ransom note. Last but not least, the BooM Ransomware also drops a text-based ransom note via the file ‘HOW TO DECRYPT FILES.txt.’

Surprisingly, the authors of the BooM Ransomware do not mention a ransom payment in the message their software drops, but it is possible that they might ask for money once they're contacted on Facebook. Thankfully, getting in touch with the authors of the BooM Ransomware may not be necessary, because a public PIN and password have been released for both versions of the BooM Ransomware:

PIN: 47848486454474431000546876341354
Password: M95r2jRwkP87rnWt1p281X1u

PIN: 34584384186746875497
Password: B3ht4w316MsyQS47Sx18SA4q

If you believe that the BooM Ransomware has attacked your computer, then we advise you to use the data above to ensure the recovery of your files immediately. Once this is done, you should use your favorite anti-malware product to remove the BooM Ransomware’s leftover files.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe File name: file.exe
Size: 18.02 MB (18027520 bytes)
MD5: 27def0c68ee542333a8a99995429273a
Detection count: 77
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
file.exe File name: file.exe
Size: 7.02 MB (7022592 bytes)
MD5: 1a2bcbcf04aeb44e406cc0b12e095fb4
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
file.exe File name: file.exe
Size: 921.6 KB (921600 bytes)
MD5: e9db7fe38dfea5668c74d6f192ae847b
Detection count: 11
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Related Posts