Threat Database Ransomware Proton (Xorist) Ransomware

Proton (Xorist) Ransomware

Cybersecurity researchers have brought to light the Proton Ransomware threat, an instance of harmful software that falls within the category of ransomware. This particular type of malware operates by encrypting data on the victim's system and then demanding a ransom fee in exchange for providing the decryption key. The Proton Ransomware appends the titles of the encrypted files with a '.PrOToN' extension. For instance, if a file was originally named '1.jpg,' after encryption, it would be transformed into '1.jpg.PrOToN.' This pattern continues for all files that become locked as a result of the ransomware attack.

In addition to the encryption process, the Proton Ransomware takes further actions to deliver the demands of the attackers. It alters the desktop wallpaper to display a message related to the ransomware attack. Furthermore, the ransomware creates ransom notes that are consistent across multiple mediums: a pop-up window, the modified desktop wallpaper and a text file named 'HOW TO DECRYPT FILES.txt.'

It should be noted that there is a previous ransomware threat tracked under the name Proton. However, this new threatening ransomware strain is completely different, as it belongs to the Xorist Ransomware family.

The Proton (Xorist) Ransomware Locks a Wide Range of Files and Demands Ransom

The messages generated by the Proton (Xorist) Ransomware serve to notify the victims that their files have undergone encryption and that the exclusive avenue to regain access to them is by making a ransom payment to the attackers. The specified ransom amount is denoted as 0.045 BTC (Bitcoins), amount worth approximately 1300 USD. However, it is important to acknowledge that exchange rates of cryptocurrencies tend to experience constant fluctuations, and the exact sum could vary. Upon complying with the stipulated payment, the ransom notes assure victims that they will receive the necessary decryption keys and associated software.

In the majority of scenarios, the encrypted data rendered inaccessible by ransomware cannot be restored without direct involvement from the cybercriminals. Free decryption is rarely possible, and it typically involves ransomware threats exhibiting significant weaknesses and flaws.

Victims should keep in mind that there are no guarantees that the attackers will provide them with the promised decryption tools, even if the ransom demands have been met. That is why experts strongly discourage any consideration of complying with the ransom demands. Such payments not only fail to guarantee data recovery but also contribute to the perpetuation of this illicit and unlawful activity.

In terms of addressing the issue, the removal of the Proton (Xorist) Ransomware from the operating system will effectively halt its ability to encrypt any additional files. Regrettably, this course of action will not, however, lead to the restoration of data that has already fallen victim to the encryption process.

Make Sure that Your Data and Devices are Sufficiently Protected

Safeguarding data and devices from ransomware attacks necessitates a comprehensive and vigilant approach. Here are the key steps that users can implement to bolster their defenses against these malicious threats:

  • Regular Data Backups: Consistently back up all critical data to an external device or secure cloud storage. Scheduled backups ensure that even if ransomware strikes, you can rehabilitate your files from a clean backup.
  •  Install Reliable Security Software: Employ reputable anti-malware software. Keep it up to date to identify and thwart ransomware attacks in real time.
  •  Update Software Regularly: Ensure that operating systems, applications, and security software are frequently updated with the latest patches. These patches often address security vulnerabilities that attackers could exploit.
  •  Exercise Caution with Emails: Be cautious when handling email attachments or links, especially from unfamiliar senders. Ransomware can spread through malicious attachments or links in phishing emails.
  •  Use Strong, Unique Passwords: Create hard-to-break, distinctive passwords for all of your accounts, and consider the usage of a password manager to handle them securely. Strong passwords thwart unauthorized access.
  •  Enable Two-Factor Authentication (2FA): Activate 2FA wherever possible to introduce an extra layer of security beyond passwords.
  •  Disable Macros: Turn off macros in documents and enable them only if necessary. Macros are frequently used to deliver ransomware.
  •  Stay Informed: Look for the latest ransomware trends and cybersecurity best practices. Knowledge about evolving threats helps you adapt your defenses.

By following these proactive steps, users can significantly lessen the risk of falling victim to ransomware attacks and safeguard their data and devices against the potentially devastating consequences of such attacks.

The ransom notes delivered to the victims of the Proton (Xorist) Ransomware contain the following message:


All your files have been encrypted
if you want to decrypt them you have to pay me 0.045 bitcoin.

Make sure you send the 0.045 bitcoins to this address:

If you don't own bitcoin, you can easily buy it from these sites:

You can find a larger list here:

After sending the bitcoin, contact me at this email address: with this subject: -
After the payment has been confirmed,
you will get decryptor and decryption keys!

You will also receive information on how to defend against another ransomware attack
and the most important thing is your security hole through which we entered.

Do not try other cheaper decryption options because nobody and nothing can
decrypt your files without the keys generated for your server,
you will lose time, money and your files forever!


Most Viewed