Xpan Ransomware

Xpan Ransomware is a new Brazilian ransomware that mainly hits corporations that may store a large quantity of data, such as hospitals. Once this dangerous program is activated on your system, it encrypts all important files, including images, text files, and archives as well. Normally, the only chance for you to get your files back is to pay the ransom fee, use a backup copy of your files, or a free decryption tool you may find on the web. We practically never recommend that you pay criminals because it hardly ever happens that crooks send you the right decryption key or tool and not a bundle of threats that could cause further damage to your files or system. But in this case it is even more so since you can find a free application developed by malware hunters, which can recover your files. Since downloading and using such tools could be dangerous if you are an inexperienced user, we suggest that you ask someone with proper skills to do so. It may come as a surprise but you do not even need to remove Xpan Ransomware yourself as the main malicious file deletes itself after its dark mission is accomplished. Unfortunately, it leaves behind a bit of a mess which certainly needs your immediate attention though.

This major threat seems to be the newborn child of the infamous Brazilian hacker team who call themselves "TeamXRat" or "CorporacaoXRat." In this case they do not follow suit regarding the distribution of this malicious program. Cyber criminals usually use spam e-mails to deliver their payload to unsuspecting computer users disguised as an image or document attachment. Other crooks also prefer to apply malicious webpages armed with Exploit Kits. If you load such a page in your browser, you can get infected right away since the malicious Java or Flash code runs as soon as you open that page. It is worth knowing that you can avoid such an attack as long as you keep your browsers and drivers regularly updated because these kits can take advantage of older versions. Nevertheless, we cannot confirm that this ransomware uses any of these methods.

Instead, these criminals infect your computer manually by using the Remote Desktop Protocol and brute force to figure out your password. Obviously, if your password is an easy one to crack, it will not take long for these crooks to get in and deactivate your security software, if you have any at all. Then, they can easily copy the malicious executable file onto your system and activate it right away. As an unfortunate consequence, your most precious files will be encrypted in a short time. Of course, figuring out your password may take a while but the problem is that you will not notice anything from this. These crooks can silently attack your computer with a trial-and-error method, which means that they go through all possible variations to get your password right. Sometimes it is also possible that criminals use social engineering techniques first to make you reveal your password or to get some clues out of you. Therefore, you should always be careful with online surveys or phone calls asking you to share personal data. Remember that once a ransomware hits you, removing it will not free your files from being hostages. You need to prevent such a malicious attack from happening if you want to protect your data and your system.

After activation, this malicious program stops certain well-known database services on your system, including "MSSQLSERVER," "postgresql-9.0," and "SSQL$SQLEXPRESS." In addition to this, it also kills a few related tasks, such as "pg_ctl.exe," and "sqlservr.exe." This is necessary for this ransomware to make sure that all possibly important files can be encrypted because if a database is running, some files could not be accessed and ciphered. It seems that this threat targets all your documents, images, databases, and archives, which could be the most important files if you are a corporation storing thousands of or more records. Since this malware addresses the victims in Portuguese language, we can only assume that they mainly attack Brazilian and other Portuguese speaking countries. We have also found that this vicious program does not touch certain file types, including .exe, .dll, .lnk, .bat, .ini, .msi, and .scf. When a file is encrypted with AES-256, it gets a "___xratteamLucked" extension. This infection also places the ransom note text file named "Como descriptografar os seus arquivos.txt" into all folders where files have been encrypted.

When the attack is over, your desktop wallpaper is changed and the ransom note image comes up on your screen so that you will know right away what just hit you. The authors of this attack ask you to send an e-mail to "xRatTeam@mail2tor.com" to get additional information about the ransom fee and payment method if you want to ever use your files again. Any other attempt would result in your losing all your files; at least, this is how they want to make you believe that the only chance for you to get your files back is to pay up. However, we have good news for you. You do not even have to delete Xpan Ransomware because it is done automatically after the encryption. Furthermore, there is a working free file recovery tool on the Internet that you can use to restore your files. Therefore, you should not even consider paying as it would be money down the drain.

Although Xpan Ransomware is one of those rare infections that remove themselves after the attack, it still leaves some unwanted files behind, such as the ransom note text files in your affected folders and there could possibly be more related ones as well. Therefore, we suggest that you use our instructions below as a reference to clean your system properly. If manual detection and removal is out of the question for you, we advise you to use a decent up-to-date anti-malware program, such as SpyHunter to do the dirty job for you and protect your PC automatically from future attacks.

Remove Xpan Ransomware from Windows

1. Press Win+E to launch Windows File Explorer.
2. Locate and bin any suspicious files and leftovers you may find relating to this attack, including the ransom note text file, "Como descriptografar os seus arquivos.txt" in all affected folders.
3. Empty your Recycle Bin.
4. Restart your PC.