Xorist Ransomware

Xorist Ransomware is a malicious program that encrypts user’s text documents, pictures, audio or video files and some other file types. While your files are encrypted, it is impossible to do anything with them. In addition to that, if you have a backup in some removable media you should wait till you delete the ransomware, and only then you can transfer copies of your files; otherwise, the media device might be encrypted too. The infection’s creators state that you must pay the ransom if you want to unlock your data or else it will be lost. Our researchers say that Xorist Ransomware uses an old engine that can be modified in various ways. Therefore, if you have this malware on your computer, it might be that the given demands will differ from our example, and it could be hard to identify the malware. Further in the article we will present our findings on this ransomware, including the removal instructions if you decide to get rid of it.

The first sight that your computer is infected with Xorist Ransomware is the pop-up on your screen. In this case, the pop-up was named “Error” and the text in it simply states that “All your files are locked!” The rest of the text says that you have to contact originators of this malware via social media, and there is a link to their account. However, since this ransomware can be customized, your version could ask you to contact them with the given telephone number, email, etc.

Furthermore, another pop-up should appear on your screen that could be named “Attention!” If you contact the malware creators, they should provide you with details about the ransom. After you pay the ransom, you should receive a unique password and type it in this second pop-up. As the first message states, you can type the password twice. If the password is correct, your files are supposed to be decrypted, but if not, they will be destroyed.

The ransomware locks your files and adds its random extension on them. It can affect a lot of different file types, e.g. .jpg, .gif, .ppt, .txt, .pdf, .doc, .docx, .html, .avi, .mp3, .mp4 and so on. For the encryption, it uses algorithms called TEA or XOR. Importantly, Xorist Ransomware should leave a file named desktop.ini and a text document that could be titled as HOW TO DECRYPT FILES.txt. Both of these files should be placed in the %APPDATA% directory. The first file opens the other one every time you turn on your computer.

Like other similar ransomware applications, Xorist Ransomware could enter your computer through suspicious executable files. Often such files are spread through spam email, and if the user opens it, the malware settles in and begins the encryption process. The executable file could have a random name, so many users open it out of curiosity. Once the file is launched, the ransomware places an executable file in this location: %LOCALAPPDATA%\Temp.

As you see, the ransomware is a dangerous infection, and if you do not want to go through this again, you should consider using a security tool or protect your computer in other ways. As for now, you must decide whether to pay the ransom or eliminate the malware. The decision might be hard if your important files got encrypted, but you should consider these options carefully. No doubt that you are dealing with cyber criminals here, and you cannot be sure if they will give you the password after you make the payment.

If you decide to get rid of the ransomware, you could try to delete it manually with the instructions below the article. Although it would be much easier to install an antimalware tool and use it to eliminate the Xorist Ransomware because for manual instructions, you will have to locate a suspicious executable file in the particular folder. The problem is that the file has a random name, so we cannot tell you the exact title. Thus, we would advise you to use a legitimate antimalware tool as it will locate and delete this infection automatically. All you have to do is to perform a system scan, and when it finds the ransomware, you can erase it at once.

Delete Xorist Ransomware

1. Open the Explorer.
2. Copy and paste given location %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
3. Find these files: HOW TO DECRYPT FILES.txt, desktop.ini.
4. Right-click each of them separately and select Delete option.
5. Insert this location into the Explorer %LOCALAPPDATA%\Temp
6. Find an unfamiliar executable file with a random name.
7. Right-click the suspicious executable file and select Delete.
8. Empty your Recycle bin.