XeroWare Ransomware

The XeroWare Ransomware is an encryption ransomware Trojan that is built on HiddenTear, an open source ransomware platform that has been working dynamically since August 2015. Since its first appearance, HiddenTear has spawned countless variants and has been used widely by criminals to create new encryption ransomware Trojans to carry out attacks. The XeroWare Ransomware was first observed in July 2018 and, like most of these threats, is used to take the victim's files hostage to demand a ransom to restore access to the victim's data.

What the XeroWare Ransomware can Cause to Your Files

The XeroWare Ransomware is delivered to the victim's computer in the form of a corrupted spam email attachment that contains embedded macro scripts that download and install the XeroWare Ransomware. Once the XeroWare Ransomware has been delivered, it will work in the background, scanning the victim's computer in search of the user-generated files, which it will then encrypt using the AES encryption. The XeroWare Ransomware and similar threats may target the subsequent file types in their attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The XeroWare Ransomware will make the damaged files no longer recoverable, and they will be renamed with the file extension '.XERO' added to their names. The XeroWare Ransomware delivers a ransom note in the form of a text file named 'XeroWare_ReadME.txt,' which reads as follows:

'Your files have been encrypted and your computer has been infected with XeroWare Ransom 1.2. 1) What Should I do?
A: Pay the specific amount we are asking from you in order to decrypt your files.
2) Can i try to remove the malware?
A: If you try anything your files will be removed, YOU have been WARNED.
3) How can i pay in order to decrypt my files ?
A: Copy the provided btc address and send the money.
4) How do i verify my payment?
A: You provide the payment transaction ID and you click confirm transaction.
5) What will happen if the payment transaction is not valid?
A: If you try to provide anything alike to fake or not valid your files will be destroyed permanently.
6) I have paid and verified my transaction how do i decrypt my files?
A: If you have paid and verified your transaction just simply click the decrypt button and everything will revert back to normal.
You have 96 hours in order to complete that task, otherwise your files will be destroyed.
Time has already started…'

Dealing with Threats Like the XeroWare Ransomware

If the XeroWare Ransomware has compromised your data, it is important to take steps to remove the XeroWare Ransomware from your computer. You will be asked for a ransom of several hundred dollars. Because of this, it is important to take precautions so that the files affected by the XeroWare Ransomware can be restored immediately. Having file backups on a cloud service or an external memory device is the best precaution against threats like the XeroWare Ransomware.