Threat Database Ransomware XRTN Ransomware

XRTN Ransomware

By CagedTech in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 6
First Seen: December 17, 2015
Last Seen: March 28, 2023
OS(es) Affected: Windows

XRTN Ransomware Image

The XRTN Ransomware is a ransomware infection that encrypts data by using batch files. PC security researchers have recently detected the XRTN Ransomware for the first time. When viewed in the wild, the XRTN Ransomware uses RSA-1024 encryption to encrypt the victim's data. To carry out the encryption, the XRTN Ransomware uses the GnuPG (Gnu Privacy Guard), an open source encryption program that is freely available. The XRTN Ransomware is closely related to Vaultcrypt, a threatening ransomware infection that first appeared in spring of 2015. The XRTN Ransomware uses an HTA document that appears during start-up to deliver the XRTN Ransomware's ransom note. This message claims that computer users should contact a Russian email address,, to decrypt their files. No price is quoted, meaning that it is likely that the ransom is adjusted depending on the severity of the attack and quality of the files. At this date, there is no way to decrypt the encrypted files without the decryption key.

The Serious Consequences of a XRTN Ransomware Infection

The XRTN Ransomware has a unique architecture, which contains batch files to carry out the encryption process. The XRTN Ransomware is installed using an unwanted JavaScript file that connects to its command and control domain,, to download and install its associated files. The XRTN Ransomware downloads the GnuPG executable file, a Microsoft Word file, and the batch file used for the XRTN Ransomware's encryption. It is likely that the JavaScript file that delivers the XRTN Ransomware is included as a threatening email attachment in the form of a fake Word document. Microsoft Word macros may be used to deliver threatening code to the victim's computer, making these types of documents far from safe.

When the XRTN Ransomware's batch file is executed, the XRTN Ransomware generates the decryption key and scans all the infected computer's drives in search for its target files. After the XRTN Ransomware encrypts a file, it adds the XRTN extension to the end of the file. The XRTN Ransomware targets the following file types, making it likely that the XRTN Ransomware will encrypt files that could be important to the computer user:

.xls, *.doc, *.xlsx, *.docx, *.pdf, *.rtf, *.cdr, *.psd, *.dwg, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip

The XRTN Ransomware deletes shadow volume copies of the encrypted files, making it impossible for computer users to recover their files using a shadow volume browser of some sort. As part of the XRTN Ransomware encryption process, the XRTN Ransomware will create a file named XRTN.key that contains the private encryption key and data about the infected computer and then encrypt it. The XRTN Ransomware will overwrite all free disk space on targeted hard drives to prevent computer users from using file recovery programs to recover from the XRTN Ransomware attack. The XRTN Ransomware then displays its ransom note.

Recovering from a XRTN Ransomware Attack

PC security researchers suspect that victims of the XRTN Ransomware will be asked to deliver the XRTN.key file and then to pay the ransom amount. The threat developer can decrypt this file using a master decryption key and then deliver the victim's the specific decryption key. There is currently no way to decrypt the files without access to the key. Because of this, the best way of handling ransomware infections like the XRTN Ransomware is prevention. PC security researchers strongly stress the importance of a backup method, either on an external memory device or using the Cloud. This way, computer users can recover from an attack by wiping the affected hard drive and reinstalling their files from the backed up location. Future attacks can be prevented by avoiding email attachments from unsolicited sources.


Most Viewed