XPan Ransomware

The XPan Ransomware is a file-encoding Trojan that can lock your files by encrypting them with an AES-based cipher. Its payload also includes a message requesting ransoms in return for giving you a decryption key, but malware experts recommend less risky recovery methods, backup-based ones particularly. Mind your network and password security to block this threat's distribution and use anti-malware programs for deleting the XPan Ransomware as soon as possible.

Short Passwords Giving Your Savings Short Shrift

Even though e-mail attachments are a clear favorite method for most file-encrypting Trojan campaigns to carry out their distribution, they aren't the only tactic available to an enterprising threat actor. High-energy or focused con artists sometimes incline towards targeting attacks against specific organizations particularly, including government offices and particular business sub-sectors. Besides e-mail, these attacks may include manual 'hacking' attempts for installing threats like the XPan Ransomware.

The first phase isolates an account login that's accessible over a remote network connection, one with a short or commonly-used password preferably. Through brute-force password-generating utilities, con artists can compromise the login credentials and, from there, gain wholesale system access. After that, they install the XPan Ransomware, whose payload bears strong similarities to old Trojans like NMoreira and AiraCrop.

The XPan Ransomware encrypts the system's media with a combination of the AES-256 and RSA, the latter providing additional security against decryption by third parties. All encoded content is detectable by the '.one' extension's appending, which the XPan Ransomware shares with the One Ransomware. Another feature of its payload generates a Portuguese Notepad message, which includes a key that's unique to the victim's system, as well as an e-mail address for speaking with the threat actor. The ensuing ransom negotiations as noted by malware experts rate the price of decryption around 0.3 Bitcoins (or almost 400 USD).

Taking Your Files out of the Frying Pan without Throwing Your Bitcoins in a Fire

Most victims of the XPan Ransomware aren't recreational PC users; this Trojan's ongoing attacks have the strongest connections to Brazil-based small and mid-sized businesses. Workers not using complex passwords appropriately are the greatest weakness allowing for this threat's installation, which is reliant on brute-force RDP vulnerabilities. Passwords and other information on a compromised system should be assumed of being compromised and at risk for future exploitation by the XPan Ransomware's threat actors.

Keeping backups is the safest way to block Trojans like the XPan Ransomware from holding your data hostage. However, Kaspersky Labs also is hosting a free decryption solution for users without any better options. Containing and removing the XPan Ransomware with an anti-malware tool, along with re-securing the network's login credentials, should be your priority before attempting any file restoration.

The XPan Ransomware owes its decoding in part due to its authors growing overconfident and distributing the threat in wider numbers than previously reported. As long as Brazil retains its role as a focal point for similar attacks, anyone with responsibilities associated with network and server management will need to keep an eye out for exploits that could lead to file-encrypting infections.

Technical Details