XRat Ransomware

Our researchers came across XRat Ransomware that appears to be the newest variant of a malicious program known as Xorist Ransomware. The infection could be distributed with suspicious email attachments, or it could travel with other malware. It does not lock your screen or encrypt any program files. Like many other similar threats, the malicious application seems to be only after the user’s personal data. In exchange of decrypting such data, the ransomware’s creators demand you to contact them via email and eventually to pay a ransom. However, we would advise users not to make any rash decisions because there might be a way to get the decryptor free of charge. If you want to know how it could be possible, continue reading the article. Also, if you decide to clean the system from XRat Ransomware, we advise you to follow the removal guide placed at the end of the article.

Even though the malware might display a ransom note in Portuguese language, it does not mean that users from other countries cannot infect their computers with XRat Ransomware too. Since the malicious program is still a new threat, the researchers are yet trying to figure it out how it is distributed. The malware could travel with other infections, such as Trojans, viruses, and other, or it could be spread with suspicious email attachments. In any case, when you launch the infected file, the ransomware should place a file with a random title on the %TEMP% location.

As the malicious application settles in it should begin encrypting the user’s data with a cryptosystem called TEA (Tiny Encryption Algorithm). During the process, locked files should be given a second extension called .C0rp0r@c@0Xr@t. Once it is finished, XRat Ransomware should place a ransom note on the replaced Desktop picture and on a text document called “Como descriptografar seus arquivos.txt,” which roughly translates into “How to decrypt your files.txt.” After it encrypts user’s personal data, the infection might add the text document to each folder on the computer. It might not even matter if the folder contains encrypted data.

The text within says that it is impossible to unlock encrypted data without a unique decryption key and if the user wishes to receive it, he has to send an email to corporacaoxrat@protonmail.com. We have no doubt that once the cyber criminals reply, they would demand you to pay a ransom. Sadly, there is no way to know if they will send you the decryption tools as promised. Therefore, we advise you to try a free decryptor created for Xorist Ransomware that should be available on the Internet. It might work because these malicious programs are almost identical. For starters try to decrypt one file to see if it works and if it does you can unlock the rest of your data.

Needless to say that if the decryptor does work, there is no reason to communicate with the cyber criminals. Instead, we advise you to get rid of the malicious application and clean the system. XRat Ransomware is a dangerous threat so it might be wiser to let a trustworthy antimalware software deal with it. As you install the security tool, launch it and allow it to do a full system scan. If there are other threats on the system, the tool should locate them too. After it checks all files and folders, it will show you a report with a list of detections. All you have to do is click the removal button, and XRat Ransomware should be deleted together with other threats.

Nevertheless, if you think you can get rid of it manually on your own, have a look at the instructions available below. It should tell you how to locate malicious data related to the malware on the computer and how to get rid of it. The malicious file that infected the system might be downloaded by the user himself, and if it still on the system, it should be erased as well. What’s more, if you need more guidance, or you have other questions related to the ransomware, feel free to leave us a message in the comments section below or contact us via social media.

Eliminate XRat Ransomware

1. Press Win+E to launch the Explorer.
2. Locate the following path: %TEMP%
3. Find a malicious file that has a random title, right-click it and press Delete.
4. Check the Desktop, Temporary Files, Downloads, and other directories to locate a malicious file that is the source of the infection.
5. Right-click the malicious file and select Delete.
6. Find files titled as “Como descriptografar seus arquivos.txt,” right-click them separately and choose Delete.
7. Close the Explorer.
8. Empty Recycle bin.