Threat Database Ransomware XHAMSTER Ransomware

XHAMSTER Ransomware

The XHAMSTER Ransomware threat is being used by cyrbercriminals to lock the data of their victims. The XHAMSTER Ransomware is a new variant of the Phobos Ransomware. The strong encryption algorithm utilized by XHAMSTER ensures that the affected files will be nearly impossible to restore without the assistance of the hackers. More specifically, without having the specific decryption keys in their possession.

Once activated on the compromised device, XHAMSTER will affect a wide range of file types, including the victim's documents, photos, PDFs, archives, databases and many more. As part of its actions, the ransomware also will modify the original names of the locked files significantly. First, it will add an ID string generated for the particular victim. Next, the threat will add the ICQ account of the attackers (ICQ@xhamster2020). Finally, '.XHAMSTER' will be appended as a new file extension.

Victims of the threat will be presented with two ransom notes. One will be contained inside a newly generated text file named 'info.txt.' The other will be displayed in a pop-up window created from an 'info.hta' file. The instructions in both places are identical.

Demands Overview

The ransom-demanding message of the threat doesn't specify the exact sum that victims are expected to pay as ransom. However, it is stated that the amount will be based on how fast affected users establish contact with the attackers. Furthermore, only payments made using the Bitcoin cryptocurrency will be accepted. The note also instructs victims that they can send up to 5 files to be decrypted for free, likely as a demonstration of the hackers' ability to unlock all of the affected data. The total size of the chosen files must not exceed 3MB in non-archived form and they should not contain any important or valuable information. To receive additional details, victims of the threat are directed toward contacting the same ICQ account found in the names of the encrypted files.

What does XHAMSTER Ransomware look like?

XHAMSTER Ransomware uses a clever ransom note where it makes rather forceful demands and instructions to supposedly restore the files that it has encrypted. Moreover, XHAMSTER Ransomware instructs victimized computer users to not rename encrypted files or use a third-party software resource to decrypt the data. Lastly, the message explains that victims will have to pay for the decryption in Bitcoins, which is a common method of payment that helps prevent the hackers behind XHAMSTER from being tracked or caught performing the malicious actions of spreading such malware and extorting money from victimized computer users.

Image example of the XHAMSTER Ransomware ransom note and alert message

XHAMSTER Ransomware ransom note

The full set of instructions left by XHAMSTER Ransomware is:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC.
If you want to restore them, install ICQ software on your PC here hxxps://
or on mobile phone from Appstore/Google Play Market search for "ICQ"
Write to our ICQ @xhamster2020 hxxps://
Write this ID in the title of your message -
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Be assured we are the only people who can recover your files and there is no free tool.

Where does XHAMSTER Ransomware come from and how to prevent future infections

The XHAMSTER Ransomware threat is among a more aggressive form of malware. In fact, XHAMSTER is considered to be more of a prevalent and demanding type of ransomware in the way that it may be spread through questionable downloaded software or software installation bundles. Furthermore, the renaming of files by XHAMSTER may append the developer’s information and a new file extension. Such files will then be inaccessible and force computer users to find a solution for those files through decryption or restoring them from a backup copy. In our assessment and technical analysis, it was found that files encrypted by XHAMSTER cannot be decrypted by any available third-party resources leaving computer users with very few options.

Just like many other ransomware threats, XHAMSTER can spread efficiently and effectively through spam email attachments such as PDF documents, ZIP files, RAR files, .exe executable files, JavaScript files, and even malicious Microsoft Office documents. In other instances of XHAMSTER spreading, it comes from unreliable sources on the Internet or hacked websites that may offer software downloads that turn out to be bogus, or fake software activation tools (crack software) and resources. Many of these websites are designed to look legitimate or like a “trusted” source to trick computer users into downloading their files or software.

Many malicious downloads that infect computers with XHAMSTER Ransomware contain a nasty payload or Trojan horse that may load on a vulnerable computer without giving any indication to the computer user or administrator. Many times, these are the worst cases of infecting a computer with XHAMSTER as the user later discovers the threat through its ransom notification, which means it’s too late to stop XHAMSTER Ransomware in its tracks.

Computer users are recommended to avoid the download of questionable software files or installation bundles from third-party sources or ones that have unwanted content. These sources thrive on gullible computer users as do spam emails that contain malicious attachments. Such emails may appear to be legitimate either offering an enticing message or appearing to be from an official company that pressures a computer user into opening or downloading the attachment file, which contains the payload that loads XHAMSTER Ransomware. If a computer user ever encounters a questionable email or spam message it is best that it be deleted at once.

The curiosity of some computer users in opening an enticing spam email or attachment is what gets them into trouble. All it takes is opening the malicious attachment file once and the payload is then free to conduct malicious actions.

Are there any other solutions or steps to take to fixing the issues of XHAMSTER Ransomware?

Some computer users have been successful in disconnecting their system from the Internet upon noticing the XHAMSTER infection to isolate their system and prevent further damage from XHAMSTER. While such a process may seem like a good idea, the fact remains that XHAMSTER Ransomware will encrypt files regardless of a connection to the Internet.

The infiltration of storage devices connected to a computer that’s infected with XHAMSTER may take place regardless of an Internet connection being available after the initial infection. Though, ejecting, or disconnecting storage devices may suffice in preventing XHAMSTER from encrypting stored files on those devices.

There is no way of stopping XHAMSTER Ransomware from encrypting files and performing its malicious actions once a system is infected. Fortunately, the removal of XHAMSTER completely from a PC will stop its malicious activities, which could otherwise result in the encryption of additional files or ones found on storage devices that are connected to the affected computer.

Removing XHAMSTER Ransomware is essential to help remedy its malicious actions

While preventing threats like XHAMSTER Ransomware is the best method to keep a computer from being infiltrated and files encrypted, removing XHAMSTER with an antimalware tool is the next best approach to remedying such a malicious attack. Ransomware removal is an essential step to recovering encrypted files and restoring an affected system back to normal operation. XHAMSTER Ransomware may continue its malicious activities if it is left on an infected computer, which is why it is important to avoid delay in the removal of XHAMSTER once a computer user has identified or detected the threat using an antimalware resource.

Using an antimalware program to safely detect and remove XHAMSTER Ransomware will free up system resources and the ability to restore files that XHAMSTER may have damaged beyond repair through encryption. Not only will removing XHAMSTER Ransomware stop the file encryption process, but it may then allow a computer user to safely restore files without concern that the new files will be targeted and eventually encrypted as well.

Because there is no known encryption tool or resource to restore files encrypted by aggressive malware threats like XHAMSTER Ransomware, computer users should always backup their system often and utilize antimalware software to help protect them from future threats. Such threats may be proactively detected and stopped before they are able to propagate and perform malicious actions if a proper antimalware resource is consistently used.

XHAMSTER Ransomware Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

XHAMSTER Ransomware Screenshots



Most Viewed