XHAMSTER Ransomware

XHAMSTER Ransomware Description

The XHAMSTER Ransomware threat is being used by cyrbercriminals to lock the data of their victims. The XHAMSTER Ransomware is a new variant of the Phobos Ransomware. The strong encryption algorithm utilized by XHAMSTER ensures that the affected files will be nearly impossible to restore without the assistance of the hackers. More specifically, without having the specific decryption keys in their possession.

Once activated on the compromised device, XHAMSTER will affect a wide range of file types, including the victim's documents, photos, PDFs, archives, databases and many more. As part of its actions, the ransomware also will modify the original names of the locked files significantly. First, it will add an ID string generated for the particular victim. Next, the threat will add the ICQ account of the attackers (ICQ@xhamster2020). Finally, '.XHAMSTER' will be appended as a new file extension.

Victims of the threat will be presented with two ransom notes. One will be contained inside a newly generated text file named 'info.txt.' The other will be displayed in a pop-up window created from an 'info.hta' file. The instructions in both places are identical.

Demands Overview

The ransom-demanding message of the threat doesn't specify the exact sum that victims are expected to pay as ransom. However, it is stated that the amount will be based on how fast affected users establish contact with the attackers. Furthermore, only payments made using the Bitcoin cryptocurrency will be accepted. The note also instructs victims that they can send up to 5 files to be decrypted for free, likely as a demonstration of the hackers' ability to unlock all of the affected data. The total size of the chosen files must not exceed 3MB in non-archived form and they should not contain any important or valuable information. To receive additional details, victims of the threat are directed toward contacting the same ICQ account found in the names of the encrypted files.

The full set of instructions left by XHAMSTER Ransomware is:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC.
If you want to restore them, install ICQ software on your PC here hxxps://icq.com/windows/
or on mobile phone from Appstore/Google Play Market search for "ICQ"
Write to our ICQ @xhamster2020 hxxps://icq.im/xhamster2020
Write this ID in the title of your message -
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
Attention!
Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Be assured we are the only people who can recover your files and there is no free tool.
'