Xorist-XWZ Ransomware

Xorist-XWZ Ransomware Description

The Xorist-XWZ Ransomware is an encryption Trojan that is based on the Xorist Ransomware, which emerged in October 2017 as a RaaS platform called 'Encoder Builder v. 24' on the Dark Web. The Xorist-XWZ Ransomware appears to be a product that has been created on the Xorist RaaS platform. The Xorist-XWZ Ransomware made an appearance on March 20th, 2018, when PC users reported finding files with the '.xwz' extension. The Xorist-XWZ Ransomware Trojan infiltrates computers when the user loads a macro-enabled. A script handles the download and the installation of the Xorist-XWZ Ransomware Trojan from a compromised site or a hidden server.

The Xorist-XWZ Ransomware is programmed to encipher images, audio, video, office-related documents, notes, eBooks, PDFs and databases using an AES cipher. The encryption key is encrypted by the Trojan as a way to counter reverse-engineering attempts by malware researchers. The threat is observed to encipher data on local drives and portable memory storage like USB drives and memory cards. Affected files are transcoded to an unrecognizable format. However, the file names remain the same and include the '.xwz' extension. For example, 'Lake Kaindy.jpeg' is renamed to 'Lake Kaindy.jpeg.xwz' and Windows is likely to represent the file using a blank icon. The ransom note is produced as a simple TXT file called 'READ ME FOR DECRYPT.txt' that you can find on the desktop. The Ransomware creators offer the following message to infected users:

'All your files is encrypted using unknown algorithm!
Do not try decrypt manually!
You can destroy your files!!
To decrypt, please contact us BlackStarMafia@qq.com
Your personal ID: [random characters]
How to buy Bitcoins?
h[tt]ps://blockchain[.]info/ru/wallet/how-to-get-bitcoins'

The Xorist-XWZ Ransomware is very similar to the Cryptedx Ransomware and the Crypto1CoinBlocker Ransomware that belong to the same threat family. The threat employs secure encryption standards and deletes the Shadow Volume snapshots on the latest versions of Windows. It is recommended to run a reliable backup manager and export your backups to an external drive, as well as benefit from cloud-storage services like Google Drive and Dropbox. That way, your chances of recovery would be significant even if the Xorist-XWZ Ransomware manages to invade your OS. You should remove the Xorist-XWZ Ransomware with the help of a trusted anti-malware scanner. AV companies tag the files related to the Xorist-XWZ Ransomware with the following names:

  • Gen:Variant.Ransom.Xorist.4
  • HEUR:Trojan.Win32.Generic
  • Ransom.CryptoTorLocker
  • Ransom.Sorikrypt!8.8822 (TFE:2:37E1v49F3wK)
  • Trojan ( 004b96941 )
  • Trojan.Win32.Z.Ransom.10752.A
  • Trojan/Win32.Xorist.R21676
  • W32/Xorist.ER!tr
  • a variant of Win32/Filecoder.Q

Technical Information

File System Details

Xorist-XWZ Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 921,600 e9db7fe38dfea5668c74d6f192ae847b 1
More files

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.