Threat Database Ransomware Xorist-XWZ Ransomware

Xorist-XWZ Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 45
First Seen: April 13, 2016
Last Seen: September 15, 2020
OS(es) Affected: Windows

The Xorist-XWZ Ransomware is an encryption Trojan that is based on the Xorist Ransomware, which emerged in October 2017 as a RaaS platform called 'Encoder Builder v. 24' on the Dark Web. The Xorist-XWZ Ransomware appears to be a product that has been created on the Xorist RaaS platform. The Xorist-XWZ Ransomware made an appearance on March 20th, 2018, when PC users reported finding files with the '.xwz' extension. The Xorist-XWZ Ransomware Trojan infiltrates computers when the user loads a macro-enabled. A script handles the download and the installation of the Xorist-XWZ Ransomware Trojan from a compromised site or a hidden server.

The Xorist-XWZ Ransomware is programmed to encipher images, audio, video, office-related documents, notes, eBooks, PDFs and databases using an AES cipher. The encryption key is encrypted by the Trojan as a way to counter reverse-engineering attempts by malware researchers. The threat is observed to encipher data on local drives and portable memory storage like USB drives and memory cards. Affected files are transcoded to an unrecognizable format. However, the file names remain the same and include the '.xwz' extension. For example, 'Lake Kaindy.jpeg' is renamed to 'Lake Kaindy.jpeg.xwz' and Windows is likely to represent the file using a blank icon. The ransom note is produced as a simple TXT file called 'READ ME FOR DECRYPT.txt' that you can find on the desktop. The Ransomware creators offer the following message to infected users:

'All your files is encrypted using unknown algorithm!
Do not try decrypt manually!
You can destroy your files!!
To decrypt, please contact us
Your personal ID: [random characters]
How to buy Bitcoins?

The Xorist-XWZ Ransomware is very similar to the Cryptedx Ransomware and the Crypto1CoinBlocker Ransomware that belong to the same threat family. The threat employs secure encryption standards and deletes the Shadow Volume snapshots on the latest versions of Windows. It is recommended to run a reliable backup manager and export your backups to an external drive, as well as benefit from cloud-storage services like Google Drive and Dropbox. That way, your chances of recovery would be significant even if the Xorist-XWZ Ransomware manages to invade your OS. You should remove the Xorist-XWZ Ransomware with the help of a trusted anti-malware scanner. AV companies tag the files related to the Xorist-XWZ Ransomware with the following names:

  • Gen:Variant.Ransom.Xorist.4
  • HEUR:Trojan.Win32.Generic
  • Ransom.CryptoTorLocker
  • Ransom.Sorikrypt!8.8822 (TFE:2:37E1v49F3wK)
  • Trojan ( 004b96941 )
  • Trojan.Win32.Z.Ransom.10752.A
  • Trojan/Win32.Xorist.R21676
  • W32/Xorist.ER!tr
  • a variant of Win32/Filecoder.Q

SpyHunter Detects & Remove Xorist-XWZ Ransomware

File System Details

Xorist-XWZ Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe e9db7fe38dfea5668c74d6f192ae847b 1
2. file.exe 27def0c68ee542333a8a99995429273a 1
3. file.exe 1a2bcbcf04aeb44e406cc0b12e095fb4 0


Most Viewed