xDec Ransomware

During a malware analysis, researchers encountered the xDec Ransomware, which poses a significant threat. This harmful software encrypts files on targeted devices, rendering them inaccessible and unusable to their owners. As part of its operation, the xDec Ransomware alters the original filenames of the encrypted files and generates two ransom notes named 'info.txt' and 'info.hta.' Additionally, it appends specific identifiers, including the victim's ID, an email address ('x-decrypt@worker.com'), and the extension '.xDec,' to the filenames. For example, a file originally named '1.pdf' would be transformed into '1.pdf.id[9ECFA74E-3449].[x-decrypt@worker.com].xDec,' while '2.jpg' would become '2.jpg.id[9ECFA74E-3449].[x-decrypt@worker.com].xDec,' and so on.

Security experts have identified the xDec Ransomware as a variant associated with the Phobos Ransomware family, indicating a potentially organized and persistent threat actor behind its distribution and operation.

The xDec Ransomware Leaves Victims Unable to Access Their Own Files

The ransom note associated with the xDec Ransomware provides detailed instructions and warnings to victims regarding the encryption of their files and the steps required for potential restoration. It begins by informing victims that their files have been encrypted due to a security flaw in their computer system. It supplies an email address, 'x-decrypt@worker.com,' for victims to reach out to in order to start the file recovery process. The note specifies that victims must include a unique ID in the subject line of their email.

In the event that victims do not receive a response within 24 hours, the note advises them to contact an alternative email address, 'x-decrypt@hackermail.com.' Payment for decryption services is exclusively accepted in Bitcoins, and the ransom amount is contingent upon the promptness of the victim's contact with the attackers.

To alleviate concerns, the note offers the decryption of up to three files at no charge, albeit with certain limitations on file size and content. It strongly advises against renaming encrypted files or utilizing third-party decryption software, cautioning that these actions could result in irreversible data loss or an escalation of the ransom amount. Furthermore, the note warns against engaging third-party decryption services, as they may inflate costs or engage in fraudulent activities.

Beyond file encryption, the xDec Ransomware poses a multifaceted threat by disabling firewalls and leaving systems vulnerable to further malicious activities. It systematically eliminates the Shadow Volume Copies, hindering potential file recovery efforts. Additionally, xDec has the capability to collect location data and utilize persistence mechanisms, allowing it to evade certain security measures strategically.

Boost the Security of Your Devices and Data against Ransomware Threats

Boosting the security of devices and data against ransomware threats involves implementing a comprehensive approach that combines preventive measures, proactive monitoring, and responsive actions. Here are some key steps users can take:

• Keep Software Updated: Regularly update operating systems, software applications, and anti-malware programs to patch vulnerabilities and protect against known exploits. Many ransomware attacks exploit outdated software.
•  Use Strong Passwords: Build unique passwords for all of your accounts, including email, social media, and online banking. Think about the benefits of using a password manager to build and store strong passwords securely.
•  Enable Two-Factor Authentication (2FA): Implement 2FA wherever possible to act as an added layer of security to accounts. This ensures that even if a password is corrupted, an additional verification step is required for access.
•  Be Extra Cautious with Email Attachments and Links: Be watchful of unsolicited emails, especially those containing attachments or links from unknown senders. Avoid clicking on dubious links or downloading attachments from emails that seem suspicious or unexpected.
•  Backup Data Regularly: Maintain regular backups of fundamental files and data to a detached storage device or cloud service. Ensure that these backups are kept securely and are not accessible from the network directly to prevent them from being corrupted in a ransomware attack.
•  Implement Network Security Measures: Use firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and filter network traffic for suspicious activity. Segment your networks to limit the spread of ransomware in the event of a breach.
•  Educate Users: Present training and awareness programs to educate users about the risks of ransomware and how to identify potential threats. Teach them to recognize phishing emails, suspicious links, and other common tactics used by cybercriminals.
•  Deploy Endpoint Protection: Install professional security software on all devices, including computers, laptops, and mobile devices. These solutions can detect and block ransomware threats in real time and provide additional layers of defense.

By following these measures, users can significantly enhance the security of their devices and data, reducing the feasibility of falling victim to ransomware attacks.

The main ransom note of the xDec Ransomware delivers the following demands:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail x-decrypt@worker.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:x-decrypt@hackermail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins

You can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'