XPan Ransomware
Posted: April 26, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 63 |
First Seen: | April 26, 2017 |
---|---|
OS(es) Affected: | Windows |
The XPan Ransomware is a file-encoding Trojan that can lock your files by encrypting them with an AES-based cipher. Its payload also includes a message requesting ransoms in return for giving you a decryption key, but malware experts recommend less risky recovery methods, backup-based ones particularly. Mind your network and password security to block this threat's distribution and use anti-malware programs for deleting the XPan Ransomware as soon as possible.
Short Passwords Giving Your Savings Short Shrift
Even though e-mail attachments are a clear favorite method for most file-encrypting Trojan campaigns to carry out their distribution, they aren't the only tactic available to an enterprising threat actor. High-energy or focused con artists sometimes incline towards targeting attacks against specific organizations particularly, including government offices and particular business sub-sectors. Besides e-mail, these attacks may include manual 'hacking' attempts for installing threats like the XPan Ransomware.
The first phase isolates an account login that's accessible over a remote network connection, one with a short or commonly-used password preferably. Through brute-force password-generating utilities, con artists can compromise the login credentials and, from there, gain wholesale system access. After that, they install the XPan Ransomware, whose payload bears strong similarities to old Trojans like NMoreira and AiraCrop.
The XPan Ransomware encrypts the system's media with a combination of the AES-256 and RSA, the latter providing additional security against decryption by third parties. All encoded content is detectable by the '.one' extension's appending, which the XPan Ransomware shares with the One Ransomware. Another feature of its payload generates a Portuguese Notepad message, which includes a key that's unique to the victim's system, as well as an e-mail address for speaking with the threat actor. The ensuing ransom negotiations as noted by malware experts rate the price of decryption around 0.3 Bitcoins (or almost 400 USD).
Taking Your Files out of the Frying Pan without Throwing Your Bitcoins in a Fire
Most victims of the XPan Ransomware aren't recreational PC users; this Trojan's ongoing attacks have the strongest connections to Brazil-based small and mid-sized businesses. Workers not using complex passwords appropriately are the greatest weakness allowing for this threat's installation, which is reliant on brute-force RDP vulnerabilities. Passwords and other information on a compromised system should be assumed of being compromised and at risk for future exploitation by the XPan Ransomware's threat actors.
Keeping backups is the safest way to block Trojans like the XPan Ransomware from holding your data hostage. However, Kaspersky Labs also is hosting a free decryption solution for users without any better options. Containing and removing the XPan Ransomware with an anti-malware tool, along with re-securing the network's login credentials, should be your priority before attempting any file restoration.
The XPan Ransomware owes its decoding in part due to its authors growing overconfident and distributing the threat in wider numbers than previously reported. As long as Brazil retains its role as a focal point for similar attacks, anyone with responsibilities associated with network and server management will need to keep an eye out for exploits that could lead to file-encrypting infections.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 347.13 KB (347136 bytes)
MD5: 34260178f9e3b2e769accdee56dac793
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 27, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.