Xorist-Frozen Ransomware

The Xorist-Frozen Ransomware is an updated version of the Xorist Ransomware, a threat family that was first observed in Spring, 2016. The Xorist-Frozen Ransomware was first observed in February of 2018 and seems to be very similar to its predecessors, only differing in its file markers and ransom procedures. Victims of the Xorist-Frozen Ransomware attack will be asked to send the cybercrooks an email to the email address frozen_service_security@scryptmail.com via a ransom note that may present itself as a text file named 'HOW TO DECRYPT FILES.txt' that is dropped on the infected computer's desktop. The Xorist-Frozen Ransomware carries out a typical ransomware attack, encrypting victim's files and demanding payment of a ransom to get access to a decryption key. To hide their identity, the people responsible for the Xorist-Frozen Ransomware use the email service Scryptmail.com, a feature that has not been observed in many other similar attacks.

Symptoms of a Xorist-Frozen Ransomware Attack

The Xorist-Frozen Ransomware is delivered to victims through the use of corrupted macro scripts, which are sent to victims via compromised email messages. The Xorist-Frozen Ransomware uses the XOR encryption to make the victim's files inaccessible. The Xorist-Frozen Ransomware will target the user-generated files while attempting to leave the Windows system files and similar files alone. Some of the file types that may be encrypted by these attacks include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Xorist-Frozen Ransomware will mark the files encrypted by the attack by adding the file extension '.frozen_service_security@scryptmail.com' to the end of each affected file's name. The Xorist-Frozen Ransomware's ransom note, in the form of a text file named 'HOW TO DECRYPT FILES.txt,' contains the following message:

'All your important files were FROZEN on this computer.
Encrtyption was produced using unique KEY generated for this computer.
To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 36 hours after encryption completed.
REMEMBER YOU HAVE ONLY 24 HOURS TO PAY EVERITHING IS AUTOMATICALLY!
To retrieve the private key, you need to pay 0.5 bitcoins
Bitcoins have to be sent to this address: 3N8FxD8y3AKKPZaUBuypw55YYSswmECPxh
After you've sent the payment send us an email to : frozen_service_security@scryptmail[.]com with subject : ERROR-ID-63100888(0.5BTC)
If you are not familiar with bitcoin you can buy it from here :
SITE : www[.]localbitcoin[.]com
After we confirm the payment , we send the private key so you can decrypt your system.'

Dealing with a Xorist-Frozen Ransomware Infection

The people responsible for the Xorist-Frozen Ransomware demand a large ransom, 0.5 Bitcoin (at the current exchange rate 3200 USD approximately.) However, the payment of the ransom should be avoided at any cost. In the case of these infections, the best recourse for computer users is to remove the corrupted files, use a reliable security program that is fully up-to-date to remove the Xorist-Frozen Ransomware infection and replace the affected files with backup copies. Because of this, the best protection against threats like the Xorist-Frozen Ransomware is to have file backups.