Xorist ransomware virus

Xorist is a family of ransomware viruses that keeps evolving in 2020 despite an active decryption software

Xorist ransomware version

Xorist ransomware version

Xorist is a ransomware-type virus built on Encoder Builder v.24 from [Pastorok][1], which is sold on the underground forums. Since the emergence in 2016, it remains active and new versions emerge. There are over 15 different versions under the Xorist ransomware family with the predominant .PrOtOnIs and .PrOtOnIs.VaNdElIs, .EnCiPhErEd, .1ss33ggur, and .LOCK file extensions.  

To encrypt users’ files, all members of this ransomware family have been using the same encryption strategy. Typically, they rely on XOR or TEA cryptography, but each version might append unique file extension and deliver a ransom note in the text file where victims are asked to transfer a specific amount of Bitcoins for data recovery. 

Luckily, the Xorist ransomware was not the toughest nut to crack. In 2016, Fabian Wosar of Emsisoft deciphered ransomware code and released a free decryption software, which was soon situated among other ransomware decryptors in the NoMoreRansom project managed website. Although the .73i87Am, .p5tkjw, PoAe2w, and .EnCiPhErEd file extensions are susceptible to the decryptor, victims of the others should remove Xorist ransomware and run the decryptor as well. 

Name Xorist
Type Ransomware
Versions .Team Xrat, .XPan, .Zixer2, .Imme, .AvastVirusinfo, .Crypto1CoinBlocker, .Hello, [email protected], .Cryptedx, .Xorist-Frozen, Xorist-.XWZ, .PrOtOnIs, .VaNdElIs,.Mbrcodes, .73i87Am, .p5tkjw, PoAe2w, .EnCiPhErEd, .LOCK, .CerBerSysLocked0009881, .error77002017111, .Blocked2, .TaRoNiS, .brb, .RusVon, [email protected], .xdata, .SaMsUnG, .antihacker2017, .error, .errorfiles, .@EnCrYpTeD2016@, .pa2384259, .encoderpass, .fileiscryptedhard, .6FKR8d, .EnCiPhErEd, .73i87A, .p5tkjw, .PoAr2w, .1ss33ggur, and .ava
Danger level High (initiates unauthorized system’s changes and can cause permanent data loss)
Detection 2016 (actively spreads up until now)
Distribution Malspam, exploit kits, drive-by-download, fake software updates, 
Symptoms Most of the personal files appended with a Xorist related file extension (the list down below), .txt file as a ransom note available on the desktop, the system runs slower, multiple suspicious files misusing CPU resources, etc. 
Encryption methods XOR and TEA
Redeem size Varies from 0.3 to 2 Bitcoins
Decryptable Yes. A free Xorist decrypter is available, but it may not be capable of decrypting the newest versions
Elimination Automatic. Install a professional anti-malware and run a deep scan with it. Our recommendation is Reimage Reimage Cleaner Intego.

Previously, the virus was appending .DATA_IS_SAFE_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_LOST_FOREVER_PLEASE_BE_REZONABLE_IS_NOT_A_JOKE_TIME_IS_LIMITED extension to target files on victim’s computer. In June 2018, researchers reported about a version of the Xorist malware which appends a long file extension to each of the targeted document, picture or other targeted files:


When all data is locked, it delivers a ransom note in the same READ ME FOR DECRYPT.txt. file where victims are asked to contact them via [email protected] and pay 0.8 Bitcoin for Cerber decryption software. However, paying the ransom is not recommended. It’s clear that creators of malware are just trying to make as much illegal money as possible by developing new versions of the same virus.

A couple of months ago, in the second half of March 2018, Xorist-XWZ version appeared. It uses XOR, cipher and appends .xwz  file extension to each encrypted file. Upon encryption, the victim is presented with a ransom note READ ME FOR DECRYPT.txt. Recently, experts announced about PrOtOnIs file virus which is capable of corrupting 111 file types, including: 

.1cd, .3gp, .7z, .a06, .ac3, .aleta, .aol, .ape, .arena, .aspx, .avi, .b64, .bak, .bd, .bmp, .cdr, .cer , .csv, .dat, .db, .dbf, .divx, .djvu, .dl0, .dl1, .dl2, .dl3, .dl4, .dl5, .dl6, .dl7, .dl8, .dl9,. doc, .docx, .dwg, .flac, .flv, .frf, .gdb, .gif, .gzip, .htm, .html, .ibk, .ifo, .jpeg, .jpg, .kwm, .ldf, .lnk, .m2v, .max, .md, .mdb, .mdf, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .mt0, .mt1, .mt2, .mt3, .mt4 , .mt5, .mt6, .mt7, .mt8, .mt9, .net, .odt, .p12, .pdf, .pfx, .png, .ppt, .pptx, .ps1, .psd, .pwm,. .wk, .wk1, .wk2, .wk3, .wk4, .wk5, .wk6, .wk7, .wk8, .wk9, .wma, .wmv, .xls, .xlsm, .xlsx, .xml, .zip. 

All extensions that it has ever used were included to this list:

  • .antihacker2017;
  • .pa2384259;
  • .hello;
  • .brb;
  • .RusVon;
  • [email protected];
  • .xdata;
  • .SaMsUnG;
  • .zixer2;
  • .error;
  • .errorfiles;
  • .@EnCrYpTeD2016@;
  • .encoderpass;
  • .fileiscryptedhard;
  • .6FKR8d;
  • .EnCiPhErEd;
  • .73i87A;
  • .p5tkjw;
  • .PoAr2w;
  • .PrOtOnIs;
  • .PrOtOnIs.VaNdElIs;
  • .ava;
  • .xwz;
  • .mbrcodes.
  • .TeamXrat,
  • .XPan,
  • .Imme,
  • .AvastVirusinfo,
  • .Crypto1CoinBlocker,
  • [email protected],
  • .Cryptedx,
  • .Xorist-Frozen, 
  • .Xorist-.XWZ,
  • .PoAe2w,
  • .LOCK, 
  • .CerBerSysLocked0009881,
  • .error77002017111,
  • .Blocked2,
  • .TaRoNiS,
  • .1ss33ggur.

As you can see, the virus has been updated numerous times. One of the previous versions that manifested at the beginning of February 2018 is dubbed as Xorist-Frozen. It appends [email protected] file extension, generates HOW TO DECRYPT FILE.TXT ransom note, and demands a ransom for a decryptor.

Xorist virus ransom note
Xorist ransomware demands to pay the ransom for data recovery.

Xorist virus ransom note
Xorist ransomware demands to pay the ransom for data recovery.

In comparison to other ransomware viruses, Xorist employs a quite strange communication method. The victims of the original ransomware virus have to send the SMS message to the provided numbers instead of using the Bitcoin payment system.[2] 

When the developer of the virus supposedly sends a unique decryption password for the victim. The victim needs to enter this password into a Password Prompt, and then the files should be decrypted. However, the number of attempts to enter the password is limited by the creator of the virus. If the victim exceeds the number of attempts to type in the right password, user’s data is doomed.

Xorist malware spreads via spam
Xorist malware spreads via malicious spam emails.

Xorist malware spreads via spam
Xorist malware spreads via malicious spam emails.

In the meanwhile, one of Xorist ransomware’s versions, called Frozen virus, does not intimidate people by the number of an excessive number of attempts to enter the code. The victim is informed that the server will destroy the key within 36 hours after the encryption, but the payment has to be transferred within 24 hours. However, instead of listening to hackers, make sure to remove Xorist completely. 

Following these orders is neither necessary nor recommended[3] because ransomware is already decryptable. Even its latest variant Cryptedx ransomware can be beaten. Thanks to security researchers, you can use free software to recover corrupted data. However, before using this tool, you should remove Xorist ransomware from the computer using Reimage Reimage Cleaner Intego, Malwarebytes, or another anti-malware.

The picture of Xorist ransomware virus
After Xorist ransomware attack, victims receive ransom note with instructions how to get back access to their files

The picture of Xorist ransomware virus
After Xorist ransomware attack, victims receive ransom note with instructions how to get back access to their files

Variants of Xorist virus

Team Xrat ransomware

Team Xrat version was discovered in August 2016. It has been targeting Portuguese[4] computer users by encrypting files with RSA-2048 encoding system and hiding the decryption key. Malware appends .C0rp0r@c@0Xr@ file extension to the encrypted dataand delivers a ransom note “Como descriptografar seus arquivos.txt.”

Victims are told to contact authors of this virus via [email protected] email address and learn how to obtain the decryptor. However, doing that is unnecessary because ransomware can be decrypted for free with Team Xrat decryption tool.

XPan ransomware

XPan ransomware emerged in September 2016. It uses AES-256 encryption and appends either .____xratteamLucked and .one file extensions. The unique feature of the ransomware is that after infiltration it check the default language of the computer.

The ransom-demanding message does not inform how much Bitcoins victims have to transfer. However, some people claim that they were asked to pay 0.3 BTC. However, this piece of crypto-malware is poorly written, and users can recover their files for free after XPan removal.

Zixer2 ransomware

Zixer2 ransomware variant of the Xorist uses Tiny Encryption Algorithm and appends .zixer2 file extension. Following data encryption, it delivers a ransom note in HOW TO DECRYPT FILES.TXT file. Here victims are asked to contact cybercriminals via [email protected] email address.

It’s unknown how much money crooks ask in exchange for the decryption key. However, victims do not need to waste their time chatting with hackers. Once the malware is wiped out from the system, people can recover their files with Xorist Decrypter.

Imme ransomware virus

Imme ransomware is using XOR encryption algorithm and is appending .imme or .imme.teras.completecrypt file extensions to the target data. In the ransom note, hackers are demanding 2 Bitcoins which should be paid within 72 hours. However, the data recovery tool might not work. The threatening message also reveals unique user’s ID that victims have to send [email protected] or [email protected] as soon as they pay the ransom. However, just like the other variants of Xorist, this one is also decryptable.

AvastVirusinfo ransomware

Avastvirusinfo variant aims at Russian-speaking computer users. It appends .[8 random chars] extension to each of the targeted file after the encryption procedure and installs a ransom note called “КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt,” Here crooks ask to contact them via [email protected] and pay only $15.Nevertheless, the ransom is small; there’s no need to pay it because ransomware is decryptable for free.

Crypto1CoinBlocker ransomware

Crypto1CoinBlocker malware uses RSA-2048 cryptography to encode files on the affected computer. When all data is encrypted, ransomware delivers a pop-up window with a ransom-demanding message. The same data recovery instructions are provided in the HOW TO DECRYPT FILES.txt file too.

Cybercriminals ask to transfer 1 Bitcoin to the provided wallet address. What is interesting, that Bitcoin wallet address is the same as the appended file extension – .1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy. However, paying the ransom is not recommended. After Crypto1CoinBlocker removal, users are advised to try alternative recovery methods.

Hello ransomware

Hello cryptovirus emerged in August 2017. Malware spreads and is executed from the iji.exe file. Once this file is run on the system, it starts scanning the system and looking for the targeted files. To all of the encrypted data it appends .HELLO file extension.

The virus also delivers a pop-up window informing about encrypted data. What is more, it also installs a ransom note called HOW TO DECRYPT FILES.txt where victims are asked to transfer 0.05 BTC to the provided address. Users are given 12 hours to complete this task. After the deadline, the price will double. However, after 24 hours, corrupted files are said to be deleted.

[email protected] 

Despite the reference to the notorious Cerber ransomware, the malware happens to be another version of Xorist virus. It is a common technique among cybercriminals to threaten users with more menacing virtual threats. On the other hand, this malware is still capable of encoding users’ files, appending [email protected] extension and demanding ransom.

The malware is still under development, so it only presents demands in HOW_TO_DECRYPT.txt file. No specific sum of ransom is indicated. Users should not consider paying the ransom as they might make use of free Xorist Decrypter.

Xorist ransomware lock screem
Xorist changes the desktop background to inform its victims on the attack and ways to purchase the decryptor

Xorist ransomware lock screem
Xorist changes the desktop background to inform its victims on the attack and ways to purchase the decryptor

Cryptedx ransomware 

Cryptedx is one of Xorist’s versions which has already been detected by 53 security software vendors as dawdawd.exe. Fortunately, just like previous its versions, it can be decrypted with the help of Emsisoft decrypter.

When infected, you can find that all of your files are inaccessible. Besides, their endings will be changed to .cryptedx file extension. In this case, you should ignore the warning message which is also dropped by malware developers, and remove Cryptedx ransomware from the system. Then, move on to files’ recovery guide posted at the end of this description.

Frozen ransomware

Xorist-Frozen version was detected at the beginning of February 2018. According to the latest reports, the ransomware is very similar to its predecessors. It uses XOR file encryption algorithm and creates a HOW TO DECRYPT FILES.txt ransom note. Currently, the file extension appended to the encrypted files is not known. 

Frozen ransomware is asking 0.5 BTC ransom, which is currently equal to 3400 USD. Extortionists claim that all locked files will be removed from the server within 34 hours after the encryption.

In comparison to its predecessor’s communication method, this version has switched from the SMS to email, so people who opt for a unique decryption code has to send a code to [email protected]. Based on the prevalence of the virus, it’s oriented toward English-speaking countries. 

Security experts haven’t developed a Xorist-Frozen decryptor. Therefore, there’s only one way out – to remove the virus with a professional anti-virus and then try to decrypt data using the methods given at the end of this post. 

XWZ Ransomware

Xorist keeps changing and reappearing with new versions. XWZ was detected in the second half of March 2018 by a group of ransomware researchers. This variant uses XOR encryption algorithm to render personal victim’s files useless.

Xorist-XWZ virus is capable of attacking 111 file types. Upon successful unravel of ransomware payload, most of the files on the infected PC get a .xwz file extension. Besides, the virus manifests a ransom note in the form of a text file READ ME FOR DECRYPT.txt. The ransomware is oriented to English-speaking users since it’s not translated into any other language:

All your files are encrypted using an unknown algorithm!
Do not try decrypt manualy!
You can destroy your files!!
To decrypt, please contact us [email protected]
Your personal ID: IN1O-2OYU-O98O-K1JJ
How to buy Bitcoins?

Just like its other versions, the virus circulates on the Internet with the help of various social engineering strategies. However, malspam campaigns are considered the most active techniques to promote this malware. It can attack PCs via unprotected RDP configuration, drive-by-download attacks, fake software updates, and similar stealthy methods. Unfortunately, a free Xorist-XWZ decryptor is not available. 

In June 2018, another version of Xorist appeared. The virus adds a long file extension to the targeted files:


When all files are locked, it creates a ransom note called READ ME FOR DECRYPT.txt that contains the following information:


Furthermore, attackers provide instructions on how to make a transaction in Bitcoins and provide a specific wallet address where people have to send 0.8 BTC. They also leave a contact email address [email protected] for those who need more information. However, it is not recommended to deal with these people. It’s better to remove Xorist from the PC and try alternative recovery methods explained at the end of the article.

LOCK Ransomware

According to researchers behind ID-Ransomware[5], Xorist ransomware family members can add 73 different file extensions, so the list that we provided at the top of this article should be much longer. However, not all strains appear to be successful and persistent. Many variants were disabled without a single victim reached. 

After some time of silence, Xorist strikes again with its new release dubbed as LOCK ransomware. Just like its predecessors, it’s based on the Encoder Builder and programmed to encrypt files using either XOR or TEA encryption algorithms. However, the Xorist LOCK ransomware exhibits a slightly different style of attack manifestation. Note that each virus based on Encoder Builder allows criminals to customize the ransom note, extensions, background image, and other traits. 

LOCK Xorist ransomware
LOCK is the latest Xorist ransomware variant that emerged in April 2020

LOCK Xorist ransomware
LOCK is the latest Xorist ransomware variant that emerged in April 2020

The LOCK ransowmare payload is disguised under the decrypt0r.exe file. Once launched, it attacks most of the file extensions on the host machine and appends .LOCK appendix to each of them. The finish of the encryption process is marked by an error pop-up saying:

All of your files are encrypted To decrypt it you must purchase a key from the Get the decryption key.exe file on your desktop

Besides, it creates the HOW TO DECRYPT FILES.txt ransom note, which does not contain explicit information, except the following:

All of your files are encrypted To decrypt it you must purchase a key from the Get the decryption key key.exe file on your desktop

LOCK crypto-malware also changes the desktop background image. Note that this Xorist ransomware family member has been detected in April 2020, so it’s decryptor is not available yet. The decryption software presented by Emsisoft in 2016 can restore files encrypted by earlier variants of this ransomware. Nevertheless, paying the ransom is not recommended anyway. 

Experts advise victims to remove LOCK ransomware virus from the system asap. For this purpose, a professional anti-virus should be engaged and run while Windows booted in Safe Mode. After that, give a try for the official Xorist decryption software or alternative data recovery tools. 

Following cybersecurity tips to prevent a ransomware attack

Cybercriminals have been using various techniques to spread this virus, such as malicious spam emails, malvertising, fake or illegal downloads, etc. However, by following a few simple rules, you can reduce the risk of getting a computer virus.

  1. First of all, never open emails that come from unknown senders. In addition to that, avoid reading emails that fall into the “Spam” category. Sending viruses and trojans via email is one of the most popular ways to distribute malicious computer viruses.[6]
  2. Do not click on suspicious content while you browse the Internet. If you see doubtfully reliable ads or banners that claim you have won millions or that you are the lucky visitor, ignore them. Such ads are deceptive.
  3. Download files only from trustworthy web sources. Besides, you should save them to your computer system instead of running/opening them immediately. It gives your computer security software some time to scan the file and test its reliability.
  4. Backup your files. It is a must! If you do not know why you should do that, please read this post – Why do I need backup and what options do I have for that?
  5. Protect your computer with a trustworthy anti-spyware or anti-malware software. 

Get rid of Xorist virus and recover your files without paying the ransom

Before you try to decrypt your files, you must remove Xorist ransomware from your computer. You can easily find all files that are related to this malware with the help of Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or similar security software. If you noticed that the virus blocks your attempts to start any of these programs to prevent its removal from the system, you should follow a detailed removal guide given below that is filled with two different methods that could help you unblock your remover.

Xorist decryptor
Xorist (some versions) is decryptable ransomware virus.

Xorist decryptor
Xorist (some versions) is decryptable ransomware virus.

After Xorist removal, you can recover your files using the official decryption software or try alternative recovery methods. Links and detailed explanation how to use these tools are presented below. 

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-05-12 at 13:20 and is filed under Ransomware, Viruses.