Threat Database Ransomware !XTPLOCK5.0 File Extension' Ransomware

!XTPLOCK5.0 File Extension' Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 25
First Seen: October 13, 2016
Last Seen: February 10, 2022
OS(es) Affected: Windows

Malware researchers discovered the '!XTPLOCK5.0 File Extension' Ransomware while investigating reports for files with a strange extension. Users reported seeing files featuring a '!XTPLOCK5.0' extension that was placed after the default file format. Also, the data inside was inaccessible. Further investigation revealed that the '!XTPLOCK5.0 File Extension' Ransomware was released to users via spam email. A moderate level of social engineering skill was applied to make the spam messages look like they were sent by trusted companies like Facebook, Amazon and PayPal.

The '!XTPLOCK5.0 File Extension' Ransomware may be a Successor to the MadLocker Ransomware

In-depth analysis of the code underneath the '!XTPLOCK5.0 File Extension' Ransomware brand lead to interesting discoveries. Security researchers noted that the '!XTPLOCK5.0 File Extension' Ransomware uses the same naming scheme as the MadLocker (ak.a. DMALocker) Ransomware and self-destruct mechanism. When the '!XTPLOCK5.0 File Extension' Ransomware completes the encryption process, it is programmed to delete its files and drop a ransom note named 'cryptinfo.txt' to the victim's desktop. The encryption engine of the '!XTPLOCK5.0 File Extension' Ransomware is known to combine the AES and RSA ciphers to lock file objects across local and network drives. Usually, the primary executable of threats like the JohnyCryptor Ransomware and the APT Ransomware can be found in the hidden Temp folder. Therefore, the '!XTPLOCK5.0 File Extension' Ransomware might run as and executable with a random name within that directory. Corrupted data containers are reported to carry the '!XTPLOCK5.0' extension and you may not be able to access information stored in the following formats:

.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD,.WMV, .XLS, .XLSX, .XPS, .XML, .CKP, ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.

The '!XTPLOCK5.0 File Extension' Ransomware does not Trigger a UAC Prompt and Runs with Limited Privileges

The '!XTPLOCK5.0 File Extension' Ransomware functions as an Encryption Trojan that can block the UAC (User Account Control) notification and run on guest accounts as well. The encryption process does not require a lot of system resources, and users may notice intense read/write activity on their drives. As stated above, the note comes as 'cryptinfo.txt' and provides a concise message. The operators of the '!XTPLOCK5.0 File Extension' Ransomware follow the standards set by threats like the CryptoWall Ransomware and direct the victim to create a Bitcoin wallet. The next step is to purchase 2 BTC from services like localbitcoins.com and coinbase.com. Victims are welcomed to pay around 1270 USD for the decryption software that can return their files back to normal. The note reads as follow:

'Attention! ! !
All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted!
Stay calm.
You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency in order to receive a decryption key.
In order to purchase Bitcions you can use www.coinbase.com
After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress:
[34 random characters]
After payment contact us to receive your decryption key. In mail title write your unique ID: [23 bytes long ID]
Our e-mail: crypt302@gmx.com
'

Decryption Service should not be Expected from the Makers of Ransomware

Experts advise against making payments to the '!XTPLOCK5.0 File Extension' Ransomware and contact with crypt302@gmx.com. The coders behind the crypto malware are not likely to deliver a working decryptor since their aim is to extort you for money. Decryption service should not be expected from the makers of threats like the '!XTPLOCK5.0 File Extension' Ransomware and the Globe Ransomware because they are con artists at the end of the day. Security experts recommend users to install a reliable anti-malware tool that can purge the '!XTPLOCK5.0 File Extension' Ransomware from your machine. Next step is to use clean backups from removable media like USB thumb drives, CD/DVD disks and portable HDD storage. Moreover, services like Google Drive and Dropbox might prove invaluable when restoring your data structure from an attack with the '!XTPLOCK5.0 File Extension' Ransomware. These backups should allow you to recover comparatively fast and you should backup your files regularly to secure your information.

Trending

Most Viewed

Loading...