Xorist ransomware virus

September 8, 2018

What is Xorist

Xorist is a file-encrypting virus that has been updated a couple of times since the release in 2016

How does Xorist works

Need removal instructions for Xorist ransomware  14/08/17 1 I think i’m infected with XORIST!  13/04/16 1

Xorist is a ransomware-type virus created using Encoder Builder v.24 from to lock victim’s data. It emerged in 2016, but, during the past two years, the malware has received several updates. Currently, there are about 12 different versions of the virus. All members of this ransomware family have been using the same encryption strategy to lock files on the targeted machine. Typically, they rely on XOR or TEAcryptography, but each version might append unique file extension and delivers a ransom note in the text file where victims are asked to transfer a specific amount of Bitcoins for data recovery. The latest version, from July 2018, is appending .DATA_IS_SAFE_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_LOST_FOREVER_PLEASE_BE_REZONABLE_IS_NOT_A_JOKE_TIME_IS_LIMITED extension to target files on victim’s computer.

Xorist ransomware virus Download Removal Toolto remove Xorist

In June 2018, researchers reported about a new version of the Xorist malware which appends a long file extension to each of the targeted document, picture or other targeted files:

When all data is locked, it delivers a ransom note in the same READ ME FOR DECRYPT.txt. file where victims are asked to contact them via repair_data@scryptmail.com and pay 0.8 Bitcoin for Cerber decryption software. However, paying the ransom is not recommended. It’s clear that creators of malware are just trying to make as much illegal money as possible by developing new versions of the same virus.

A couple of months ago, in the second half of March 2018, Xorist-XWZ version appeared. It uses XOR, cipher and appends .xwz file extension to each encrypted file. Upon encryption, the victim is presented with a ransom note READ ME FOR DECRYPT.txt. Recently, experts announced about PrOtOnIs file virus which is capable of corrupting 111 file types, including:

All extensions that it has ever used were included to this list:

.antihacker2017; .pa2384259; .hello; .brb; .RusVon; .fast_decrypt_and_protect@tutanota.com; .xdata; .SaMsUnG; .zixer2; .error; .errorfiles; .@EnCrYpTeD2016@; .encoderpass; .fileiscryptedhard; .6FKR8d; .EnCiPhErEd; .73i87A; .p5tkjw; .PoAr2w; .PrOtOnIs .ava; .xwz.

As you can see, the virus has been updated numerous times. One of the previous versions that manifested at the beginning of February 2018 is dubbed as Xorist-Frozen. It appends .frozen_service_security@scryptmail.com file extension, generates HOW TO DECRYPT FILE.TXT ransom note, and demands a ransom for a decryptor.

Xorist ransomware demands to pay the ransom for data recovery.

In comparison to other ransomware viruses, Xorist employs a quite strange communication method. The victims of the original ransomware virus have to send the SMS message to the provided numbers instead of using Bitcoin payment system.

When the developer of the virus supposedly sends a unique decryption password for the victim. The victim needs to enter this password into a Password Prompt, and then the files should be decrypted. However, the number of attempts to enter the password is limited by the creator of the virus. If the victim exceeds the number of attempts to type in the right password, user’s data will be lost forever.

Download Removal Toolto remove Xorist

Xorist malware spreads via malicious spam emails.

In the meanwhile, the Xorist-Frozen virus does not intimidate people by the number of excessive number of attempts to enter the code. Now the victim is informed that the server will destroy the key within 36 hours after the encryption, but the payment has to be transferred within 24 hours. However, instead of listening to hackers, make sure to remove Xorist-Frozen completely.

Following these orders is neither necessary nor recommended because ransomware is already decryptable. Even its latest variant Cryptedx ransomware can be beaten. Thanks to security researchers, you can use free software to recover corrupted data. However, before using this tool, you should remove Xorist ransomware from the computer using , Anti-MalwareNorton Internet Security, or another anti-malware.

How to delete Xorist

Team Xrat ransomware

This version has been discovered on August 2016 targeting Portuguese computer users. The virus encrypts files with RSA-2048 encoding system and hides the decryption key. To the encrypted files, malware appends .C0rp0r@c@0Xr@ file extension and delivers a ransom note “Como descriptografar seus arquivos.txt.”

Victims are told to contact authors of this virus via corporacaoxrat@protonmail.com email address and learn how to obtain the decryptor. However, doing that is unnecessary because ransomware can be decrypted for free with Team Xrat decryption tool.

XPan ransomware virus

Malware emerged in September 2016. It uses AES-256 encryption and appends either .____xratteamLucked and .one file extensions. The unique feature of the ransomware is that after infiltration it check the default language of the computer.

The ransom-demanding message does not inform how much Bitcoins victims have to transfer. However, some people claim that they were asked to pay 0.3 BTC. However, this piece of crypto-malware is poorly written, and users can recover their files for free after XPan removal.

Zixer2 ransomware virus

This variant of the Xorist uses Tiny Encryption Algorithm and appends .zixer2 file extension. Following data encryption, it delivers a ransom note in HOW TO DECRYPT FILES.TXT file. Here victims are asked to contact cyber criminals via datares@india.com email address.

It’s unknown how much money crooks ask in exchange for the decryption key. However, victims do not need to waste their time chatting with hackers. Once the malware is wiped out from the system, people can recover their files with Xorist Decrypter.

Imme ransomware virus

Malware uses XOR encryption algorithm and appends .imme or .imme.teras.completecrypt file extensions. In the ransom note, hackers demand to pay 2 Bitcoins within 72 hours for data recovery tool. The threatening message also reveals unique user’s ID that victims have to send supfiles@inbox.im or supfiles@gmx.com as soon as they pay the ransom. However, just like the other variants of Xorist, this one is also decryptable.

Download Removal Toolto remove Xorist

AvastVirusinfo ransomware virus

This variant aims at Russian-speaking computer users. It appends . extension to each of the targeted file and installs a ransom note called “КÐК РÐСШИФРОВÐТЬ ФÐЙЛЫ.txt,” Here crooks ask to contact them via avastvirusinfo@yandex.com and pay only $15.Nevertheless, the ransom is small; there’s no need to pay it because ransomware is decryptable for free.

Crypto1CoinBlocker ransomware virus

Malware uses RSA-2048 cryptography to encode files on the affected computer. When all files are encrypted, ransomware delivers a pop-up window with a ransom-demanding message. The same data recovery instructions are provided in the HOW TO DECRYPT FILES.txt file too.

Cyber criminals ask to transfer 1 Bitcoin to the provided wallet address. What is interesting, that Bitcoin wallet address is the same as the appended file extension – .1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy. However, paying the ransom is not recommended. After Crypto1CoinBlocker removal, users are advised to try alternative recovery methods.

Hello ransomware

It’s the recent variant of Xorist malware that emerged in August 2017. Malware spreads and is executed from the iji.exe file. Once this file is run on the system, it starts scanning the system and looking for the targeted files. To all of the encrypted data it appends .HELLO file extension.

The virus also delivers a pop-up window informing about encrypted data. What is more, it also installs a ransom note called HOW TO DECRYPT FILES.txt where victims are asked to transfer 0.05 BTC to the provided address. Users are given 12 hours to complete this task. After the deadline, the price will double. However, after 24 hours corrupted files are said to be deleted.

.Cerber_RansomWare@qq.com crypto-virus

Despite the reference to the notorious Cerber ransomware, the malware happens to be another version of Xorist virus. It is common technique among cyber criminals to threaten users with more menacing virtual threats. On the other hand, this malware is still capable of encoding users’ files, appending .cerber_RansomWare@qq.com extension and demanding ransom.

The malware is still under development so it only presents demands in HOW_TO_DECRYPT.txt file. No specific sum of ransom is indicated. Users should not consider paying the ransom as they might make use of free Xorist Decrypter.

Cryptedx ransomware

This is the newest version of Xorist crypto-malware. The virus is already detected by 53 security software vendors as dawdawd.exe. Fortunately, just like previous its versions, it can be decrypted with the help of Emsisoft decrypter.

When infected, you can find that all of your files are inaccessible. Besides, their endings will be changed to .cryptedx file extension. In this case, you should ignore warning message which is also dropped by malware developers, and remove Cryptedx ransomware from the system. Then, move on to files’ recovery guide posted in the end of this description.

Xorist-Frozen ransomware

Xorist-Frozen is the latest Xorist ransomware version that has been detected at the beginning of February 2018. According to the latest reports, the Xorist-Frozen is very similar to its predecessors. It uses XOR file encryption algorithm and creates a HOW TO DECRYPT FILES.txt ransom note. Currently, the file extension appended to the encrypted files is not known.

Xorist-Frozen ransomware asks to pay 0.5 BTC ransom, which is currently around 3400 USD and transfer it within 24 hours. Extortionists claim that all locked files will be removed from the server within 34 hours after the encryption.

In comparison to its predecessor’s communication method, this version has switched from the SMS to email, so people who opt for a unique decryption code has to send a code to frozen_service_security@scryptmail.com. Based on the prevalence of the virus, it’s oriented toward English-speaking countries.

Download Removal Toolto remove Xorist

Security experts haven’t yet developed a Xorist-Frozen decryptor. Therefore, there’s only one way out – to remove the virus with a professional anti-virus and then try to decrypt data using the methods given at the end of this post.

Xorist-XWZ Ransomware

Xorist-XWZ is the newest version of the Xorist ransomware family. It has been detected in the second half of March 2018 by a group of ransomware researchers. This variant uses XOR encryption algorithm to render personal victim’s files useless.

Xorist-XWZ virus is capable of attacking 111 file types. Upon successful unravel of ransomware payload, most of the files on the infected PC get a .xwz file extension. Besides, the virus manifests a ransom note in the form of a text file READ ME FOR DECRYPT.txt. The ransomware is oriented to English-speaking users since it’s not translated into any other language:

Just like its kin, it circulates on the Internet with the help of various social engineering strategies. Malspam campaigns are used most actively. Nevertheless, it can attack PCs’ via unprotected RDP configuration, drive-by-download attacks, fake software updates, and similar stealthy methods. Unfortunately, a free Xorist-XWZ decryptor is not available.

In June 2018, another version of Xorist appeared. The virus adds a long file extension to the targeted files:

When all files are locked, it creates a ransom note called READ ME FOR DECRYPT.txt that contains the following information:

Furthermore, attackers provide instructions on how to make a transaction in Bitcoins and provide a specific wallet address where people have to send 0.8 BTC. They also leave a contact email address repair_data@scryptmail.com for those who need more information. However, it is not recommended to deal with these people. It’s better to remove Xorist from the PC and try alternative recovery methods explained at the end of the article.

Following cyber security tips help to prevent from ransomware attack

Cyber criminals use various techniques to spread this virus, such as malicious spam emails, malvertising, fake or illegal downloads, etc. However, by following a few simple rules, you can reduce the risk of getting a computer virus.

First of all, never open emails that come from unknown senders. In addition to that, avoid reading emails that fall into “Spam” category. Sending viruses and trojans via email is one of the most popular ways to distribute malicious computer viruses. Do not click on suspicious content while you browse the Internet. If you see doubtfully reliable ads or banners that claim you have won millions or that you are the lucky visitor, ignore them. Such ads are deceptive. Download files only from trustworthy web sources. Besides, you should save them to your computer system instead of running/opening them immediately. It gives your computer security software some time to scan the file and test its reliability. Backup your files. It is a must! If you do not know why you should do that, please read this post – Why do I need backup and what options do I have for that? Protect your computer with a trustworthy anti-spyware or anti-malware software.

Before you try to decrypt your files, you must remove Xorist ransomware from your computer. You can easily find all files that are related to this malware with the help of , or similar security software. If you noticed that the virus blocks your attempts to start any of these programs in order to prevent its removal from the system, you should follow a detailed removal guide given below that is filled with two different methods that could help you unblock your remover.

Xorist is decryptable ransomware virus.

After Xorist removal, you can recover your files using the official decryption software or try alternative recovery methods. Links and detailed explanation how to use these tools are presented below.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to Xorist. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove Xorist Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for Xorist or anything related to it, and once you find it, press ‘Remove’.

Uninstall Xorist Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for Xorist or anything related to it, and once you find it, press ‘Remove’.

Delete Xorist Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for Xorist or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If Xorist.safariextz appears on the list, select it and press ‘Clear’.

Remove Xorist Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for Xorist or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that Xorist is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the Xorist program.
  7. Select Xorist or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from Xorist

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete Xorist

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect Xorist, go back to the Clean up computer and reset settings.

Download Removal Toolto remove Xorist

Reset Mozilla Firefox to Default

If you still find Xorist in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *