Xorist-XWZ Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 45 |
| First Seen: | April 13, 2016 |
| Last Seen: | September 15, 2020 |
| OS(es) Affected: | Windows |
The Xorist-XWZ Ransomware is an encryption Trojan that is based on the Xorist Ransomware, which emerged in October 2017 as a RaaS platform called 'Encoder Builder v. 24' on the Dark Web. The Xorist-XWZ Ransomware appears to be a product that has been created on the Xorist RaaS platform. The Xorist-XWZ Ransomware made an appearance on March 20th, 2018, when PC users reported finding files with the '.xwz' extension. The Xorist-XWZ Ransomware Trojan infiltrates computers when the user loads a macro-enabled. A script handles the download and the installation of the Xorist-XWZ Ransomware Trojan from a compromised site or a hidden server.
The Xorist-XWZ Ransomware is programmed to encipher images, audio, video, office-related documents, notes, eBooks, PDFs and databases using an AES cipher. The encryption key is encrypted by the Trojan as a way to counter reverse-engineering attempts by malware researchers. The threat is observed to encipher data on local drives and portable memory storage like USB drives and memory cards. Affected files are transcoded to an unrecognizable format. However, the file names remain the same and include the '.xwz' extension. For example, 'Lake Kaindy.jpeg' is renamed to 'Lake Kaindy.jpeg.xwz' and Windows is likely to represent the file using a blank icon. The ransom note is produced as a simple TXT file called 'READ ME FOR DECRYPT.txt' that you can find on the desktop. The Ransomware creators offer the following message to infected users:
'All your files is encrypted using unknown algorithm!
Do not try decrypt manually!
You can destroy your files!!
To decrypt, please contact us BlackStarMafia@qq.com
Your personal ID: [random characters]
How to buy Bitcoins?
h[tt]ps://blockchain[.]info/ru/wallet/how-to-get-bitcoins'
The Xorist-XWZ Ransomware is very similar to the Cryptedx Ransomware and the Crypto1CoinBlocker Ransomware that belong to the same threat family. The threat employs secure encryption standards and deletes the Shadow Volume snapshots on the latest versions of Windows. It is recommended to run a reliable backup manager and export your backups to an external drive, as well as benefit from cloud-storage services like Google Drive and Dropbox. That way, your chances of recovery would be significant even if the Xorist-XWZ Ransomware manages to invade your OS. You should remove the Xorist-XWZ Ransomware with the help of a trusted anti-malware scanner. AV companies tag the files related to the Xorist-XWZ Ransomware with the following names:
- Gen:Variant.Ransom.Xorist.4
- HEUR:Trojan.Win32.Generic
- Ransom.CryptoTorLocker
- Ransom.Sorikrypt!8.8822 (TFE:2:37E1v49F3wK)
- Trojan ( 004b96941 )
- Trojan.Win32.Z.Ransom.10752.A
- Trojan/Win32.Xorist.R21676
- W32/Xorist.ER!tr
- a variant of Win32/Filecoder.Q
SpyHunter Detects & Remove Xorist-XWZ Ransomware
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | file.exe | e9db7fe38dfea5668c74d6f192ae847b | 1 |
| 2. | file.exe | 27def0c68ee542333a8a99995429273a | 1 |
| 3. | file.exe | 1a2bcbcf04aeb44e406cc0b12e095fb4 | 0 |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.