Severity scale:  
  (99/100)

Xorist ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Xorist – a file-encrypting virus that keeps getting new updates in 2018

Xorist ransomware version
Xorist is a file-encrypting virus that has been updated a couple of times since the release in 2016

Questions about Xorist ransomware virus

Xorist is a ransomware-type virus that was created to rely on Encoder Builder v.24 from [Pastorok][1] to lock victims' data. It emerged in 2016, and it is still active. However, during the past two years the malware has been especially persistent – at the moment it is using .PrOtOnIs and .PrOtOnIs.VaNdElIs file extensions. There are about 14 different versions of the virus in total. To encrypt users' files, all members of this ransomware family have been using the same encryption strategy. Typically, they rely on XOR or TEA cryptography, but each version might append unique file extension and deliver a ransom note in the text file where victims are asked to transfer a specific amount of Bitcoins for data recovery. 

Name Xorist
Type Ransomware
Versions Team Xrat, XPan, Zixer2, Imme, AvastVirusinfo, Crypto1CoinBlocker, Hello, Cerber_RansomWare@qq.com, Cryptedx, Xorist-Frozen, Xorist-XWZ, PrOtOnIs,.PrOtOnIs.VaNdElIs.
Danger level High (initiates unauthorized system's changes and can cause permanent data loss)
Detection 2016 (actively spreads up until now)
Distribution Malspam, exploit kits, drive-by-download, fake software updates, 
Symptoms Most of the personal files appended with a Xorist related file extension (the list down below), .txt file as a ransom note available on the desktop, the system runs slower, multiple suspicious files misusing CPU resources, etc. 
Encryption methods XOR and TEA
Redeem size Varies from 0.3 to 2 Bitcoins
Decryptable Yes. A free Xorist decrypter is available, but it may not be capable of decrypting the newest versions
Elimination Automatic. Install a professional anti-malware and run a deep scan with it. Our recommendation is Reimage.

Previously, the virus was appending .DATA_IS_SAFE_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_LOST_FOREVER_PLEASE_BE_REZONABLE_IS_NOT_A_JOKE_TIME_IS_LIMITED extension to target files on victim's computer. In June 2018, researchers reported about a version of the Xorist malware which appends a long file extension to each of the targeted document, picture or other targeted files:

.PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT

When all data is locked, it delivers a ransom note in the same READ ME FOR DECRYPT.txt. file where victims are asked to contact them via repair_data@scryptmail.com and pay 0.8 Bitcoin for Cerber decryption software. However, paying the ransom is not recommended. It's clear that creators of malware are just trying to make as much illegal money as possible by developing new versions of the same virus.

A couple of months ago, in the second half of March 2018, Xorist-XWZ version appeared. It uses XOR, cipher and appends .xwz  file extension to each encrypted file. Upon encryption, the victim is presented with a ransom note READ ME FOR DECRYPT.txt. Recently, experts announced about PrOtOnIs file virus which is capable of corrupting 111 file types, including: 

.1cd, .3gp, .7z, .a06, .ac3, .aleta, .aol, .ape, .arena, .aspx, .avi, .b64, .bak, .bd, .bmp, .cdr, .cer , .csv, .dat, .db, .dbf, .divx, .djvu, .dl0, .dl1, .dl2, .dl3, .dl4, .dl5, .dl6, .dl7, .dl8, .dl9,. doc, .docx, .dwg, .flac, .flv, .frf, .gdb, .gif, .gzip, .htm, .html, .ibk, .ifo, .jpeg, .jpg, .kwm, .ldf, .lnk, .m2v, .max, .md, .mdb, .mdf, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .mt0, .mt1, .mt2, .mt3, .mt4 , .mt5, .mt6, .mt7, .mt8, .mt9, .net, .odt, .p12, .pdf, .pfx, .png, .ppt, .pptx, .ps1, .psd, .pwm,. .wk, .wk1, .wk2, .wk3, .wk4, .wk5, .wk6, .wk7, .wk8, .wk9, .wma, .wmv, .xls, .xlsm, .xlsx, .xml, .zip.  

All extensions that it has ever used were included to this list:

  • .antihacker2017;
  • .pa2384259;
  • .hello;
  • .brb;
  • .RusVon;
  • .fast_decrypt_and_protect@tutanota.com;
  • .xdata;
  • .SaMsUnG;
  • .zixer2;
  • .error;
  • .errorfiles;
  • .@EnCrYpTeD2016@;
  • .encoderpass;
  • .fileiscryptedhard;
  • .6FKR8d;
  • .EnCiPhErEd;
  • .73i87A;
  • .p5tkjw;
  • .PoAr2w;
  • .PrOtOnIs;
  • .PrOtOnIs.VaNdElIs;
  • .ava;
  • .xwz.

As you can see, the virus has been updated numerous times. One of the previous versions that manifested at the beginning of February 2018 is dubbed as Xorist-Frozen. It appends .frozen_service_security@scryptmail.com file extension, generates HOW TO DECRYPT FILE.TXT ransom note, and demands a ransom for a decryptor.

Xorist virus ransom note
Xorist ransomware demands to pay the ransom for data recovery.

In comparison to other ransomware viruses, Xorist employs a quite strange communication method. The victims of the original ransomware virus have to send the SMS message to the provided numbers instead of using the Bitcoin payment system.[2] 

When the developer of the virus supposedly sends a unique decryption password for the victim. The victim needs to enter this password into a Password Prompt, and then the files should be decrypted. However, the number of attempts to enter the password is limited by the creator of the virus. If the victim exceeds the number of attempts to type in the right password, user’s data is doomed.

Xorist malware spreads via spam
Xorist malware spreads via malicious spam emails.

In the meanwhile, one of Xorist ransomware's versions, called Frozen virus, does not intimidate people by the number of an excessive number of attempts to enter the code. The victim is informed that the server will destroy the key within 36 hours after the encryption, but the payment has to be transferred within 24 hours. However, instead of listening to hackers, make sure to remove Xorist completely. 

Following these orders is neither necessary nor recommended[3] because ransomware is already decryptable. Even its latest variant Cryptedx ransomware can be beaten. Thanks to security researchers, you can use free software to recover corrupted data. However, before using this tool, you should remove Xorist ransomware from the computer using Reimage, Plumbytes Anti-MalwareMalwarebytes Malwarebytes, or another anti-malware.

Variants of Xorist virus

Team Xrat ransomware

Team Xrat version was discovered on August 2016. It has been targeting Portuguese[4] computer users by encrypting files with RSA-2048 encoding system and hiding the decryption key. Malware appends .C0rp0r@c@0Xr@ file extension to the encrypted dataand delivers a ransom note “Como descriptografar seus arquivos.txt.”

Victims are told to contact authors of this virus via corporacaoxrat@protonmail.com email address and learn how to obtain the decryptor. However, doing that is unnecessary because ransomware can be decrypted for free with Team Xrat decryption tool.

XPan ransomware

XPan ransomware emerged in September 2016. It uses AES-256 encryption and appends either .____xratteamLucked and .one file extensions. The unique feature of the ransomware is that after infiltration it check the default language of the computer.

The ransom-demanding message does not inform how much Bitcoins victims have to transfer. However, some people claim that they were asked to pay 0.3 BTC. However, this piece of crypto-malware is poorly written, and users can recover their files for free after XPan removal.

Zixer2 ransomware

Zixer2 ransomware variant of the Xorist uses Tiny Encryption Algorithm and appends .zixer2 file extension. Following data encryption, it delivers a ransom note in HOW TO DECRYPT FILES.TXT file. Here victims are asked to contact cybercriminals via datares@india.com email address.

It’s unknown how much money crooks ask in exchange for the decryption key. However, victims do not need to waste their time chatting with hackers. Once the malware is wiped out from the system, people can recover their files with Xorist Decrypter.

Imme ransomware virus

Imme ransomware is using XOR encryption algorithm and is appending .imme or .imme.teras.completecrypt file extensions to the target data. In the ransom note, hackers are demanding 2 Bitcoins which should be paid within 72 hours. However, the data recovery tool might not work. The threatening message also reveals unique user’s ID that victims have to send supfiles@inbox.im or supfiles@gmx.com as soon as they pay the ransom. However, just like the other variants of Xorist, this one is also decryptable.

AvastVirusinfo ransomware

Avastvirusinfo variant aims at Russian-speaking computer users. It appends .[8 random chars] extension to each of the targeted file after the encryption procedure and installs a ransom note called “КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt,” Here crooks ask to contact them via avastvirusinfo@yandex.com and pay only $15.Nevertheless, the ransom is small; there’s no need to pay it because ransomware is decryptable for free.

Crypto1CoinBlocker ransomware

Crypto1CoinBlocker malware uses RSA-2048 cryptography to encode files on the affected computer. When all data is encrypted, ransomware delivers a pop-up window with a ransom-demanding message. The same data recovery instructions are provided in the HOW TO DECRYPT FILES.txt file too.

Cybercriminals ask to transfer 1 Bitcoin to the provided wallet address. What is interesting, that Bitcoin wallet address is the same as the appended file extension – .1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy. However, paying the ransom is not recommended. After Crypto1CoinBlocker removal, users are advised to try alternative recovery methods.

Hello ransomware

Hello cryptovirus emerged in August 2017. Malware spreads and is executed from the iji.exe file. Once this file is run on the system, it starts scanning the system and looking for the targeted files. To all of the encrypted data it appends .HELLO file extension.

The virus also delivers a pop-up window informing about encrypted data. What is more, it also installs a ransom note called HOW TO DECRYPT FILES.txt where victims are asked to transfer 0.05 BTC to the provided address. Users are given 12 hours to complete this task. After the deadline, the price will double. However, after 24 hours, corrupted files are said to be deleted.

.Cerber_RansomWare@qq.com 

Despite the reference to the notorious Cerber ransomware, the malware happens to be another version of Xorist virus. It is a common technique among cybercriminals to threaten users with more menacing virtual threats. On the other hand, this malware is still capable of encoding users' files, appending .cerber_RansomWare@qq.com extension and demanding ransom.

The malware is still under development, so it only presents demands in HOW_TO_DECRYPT.txt file. No specific sum of ransom is indicated. Users should not consider paying the ransom as they might make use of free Xorist Decrypter.

Cryptedx ransomware 

Cryptedx is one of Xorist's versions which has already been detected by 53 security software vendors as dawdawd.exe. Fortunately, just like previous its versions, it can be decrypted with the help of Emsisoft decrypter.

When infected, you can find that all of your files are inaccessible. Besides, their endings will be changed to .cryptedx file extension. In this case, you should ignore the warning message which is also dropped by malware developers, and remove Cryptedx ransomware from the system. Then, move on to files' recovery guide posted at the end of this description.

Frozen ransomware

Xorist-Frozen version was detected at the beginning of February 2018. According to the latest reports, the ransomware is very similar to its predecessors. It uses XOR file encryption algorithm and creates a HOW TO DECRYPT FILES.txt ransom note. Currently, the file extension appended to the encrypted files is not known. 

Frozen ransomware is asking 0.5 BTC ransom, which is currently equal to 3400 USD. Extortionists claim that all locked files will be removed from the server within 34 hours after the encryption.

In comparison to its predecessor's communication method, this version has switched from the SMS to email, so people who opt for a unique decryption code has to send a code to frozen_service_security@scryptmail.com. Based on the prevalence of the virus, it's oriented toward English-speaking countries. 

Security experts haven't developed a Xorist-Frozen decryptor. Therefore, there's only one way out – to remove the virus with a professional anti-virus and then try to decrypt data using the methods given at the end of this post. 

XWZ Ransomware

Xorist keeps changing and reappearing with new versions. XWZ was detected in the second half of March 2018 by a group of ransomware researchers. This variant uses XOR encryption algorithm to render personal victim's files useless.

Xorist-XWZ virus is capable of attacking 111 file types. Upon successful unravel of ransomware payload, most of the files on the infected PC get a .xwz file extension. Besides, the virus manifests a ransom note in the form of a text file READ ME FOR DECRYPT.txt. The ransomware is oriented to English-speaking users since it's not translated into any other language:

All your files are encrypted using an unknown algorithm!
Do not try decrypt manualy!
You can destroy your files!!
To decrypt, please contact us BlackStarMafia@qq.com
Your personal ID: IN1O-2OYU-O98O-K1JJ
How to buy Bitcoins?
https://blockchain.info/ru/wallet/how-to-get-bitcoins

Just like its other versions, the virus circulates on the Internet with the help of various social engineering strategies. However, malspam campaigns are considered the most active techniques to promote this malware. It can attack PCs via unprotected RDP configuration, drive-by-download attacks, fake software updates, and similar stealthy methods. Unfortunately, a free Xorist-XWZ decryptor is not available. 

In June 2018, another version of Xorist appeared. The virus adds a long file extension to the targeted files:

.PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT

When all files are locked, it creates a ransom note called READ ME FOR DECRYPT.txt that contains the following information:

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
DON'T WORRY YOUR FILES ARE SAFE.
TO RETURN TO NORMALLY YOU MUST BY THE CERBER DECRYPTOR PROGRAM.
PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

Furthermore, attackers provide instructions on how to make a transaction in Bitcoins and provide a specific wallet address where people have to send 0.8 BTC. They also leave a contact email address repair_data@scryptmail.com for those who need more information. However, it is not recommended to deal with these people. It's better to remove Xorist from the PC and try alternative recovery methods explained at the end of the article.

Following cyber security tips to prevent ransomware attack

Cybercriminals have been using various techniques to spread this virus, such as malicious spam emails, malvertising, fake or illegal downloads, etc. However, by following a few simple rules, you can reduce the risk of getting a computer virus.

  1. First of all, never open emails that come from unknown senders. In addition to that, avoid reading emails that fall into the “Spam” category. Sending viruses and trojans via email is one of the most popular ways to distribute malicious computer viruses.[5]
  2. Do not click on suspicious content while you browse the Internet. If you see doubtfully reliable ads or banners that claim you have won millions or that you are the lucky visitor, ignore them. Such ads are deceptive.
  3. Download files only from trustworthy web sources. Besides, you should save them to your computer system instead of running/opening them immediately. It gives your computer security software some time to scan the file and test its reliability.
  4. Backup your files. It is a must! If you do not know why you should do that, please read this post – Why do I need backup and what options do I have for that?
  5. Protect your computer with a trustworthy anti-spyware or anti-malware software. 

Get rid of Xorist virus and recover your files without paying the ransom

Before you try to decrypt your files, you must remove Xorist ransomware from your computer. You can easily find all files that are related to this malware with the help of Reimage, Malwarebytes MalwarebytesCombo Cleaner or similar security software. If you noticed that the virus blocks your attempts to start any of these programs to prevent its removal from the system, you should follow a detailed removal guide given below that is filled with two different methods that could help you unblock your remover.

Xorist decryptor
Xorist (some versions) is decryptable ransomware virus.

After Xorist removal, you can recover your files using the official decryption software or try alternative recovery methods. Links and detailed explanation how to use these tools are presented below. 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Xorist virus, follow these steps:

Remove Xorist using Safe Mode with Networking

If you cannot run security software or malware blocks its installation, please follow these steps to disable the virus:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Xorist

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Xorist removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Xorist using System Restore

This method also helps to run automatic ransomware removal

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Xorist. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Xorist removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Xorist from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Xorist, you can use several methods to restore them:

Rely on Data Recovery Pro to recover your files encrypted by Xorist ransomware

Data Recovery Pro is a widely known tool to recover files that were lost. If you want to try it, follow the guide below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Xorist ransomware;
  • Restore them.

Take advantage of Windows Previous versions feature

If System Restore has been enabled before ransomware attack and you need to recover only few files, you should take advantage of this Windows feature. It allows copying previously saved variants of encrypted files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Recover files using ShadowExplorer

ShadowExplorer is an additional tool that helps to restore files from Shadow Volume Copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Xorist decrypter presented by security experts to recover your encrypted files

Security experts from Emsisoft created Xorist decrypter. You can use this tool to unblock your files for free.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Xorist and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References