!XTPLOCK5.0 File Extension' Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 25 |
First Seen: | October 13, 2016 |
Last Seen: | February 10, 2022 |
OS(es) Affected: | Windows |
Malware researchers discovered the '!XTPLOCK5.0 File Extension' Ransomware while investigating reports for files with a strange extension. Users reported seeing files featuring a '!XTPLOCK5.0' extension that was placed after the default file format. Also, the data inside was inaccessible. Further investigation revealed that the '!XTPLOCK5.0 File Extension' Ransomware was released to users via spam email. A moderate level of social engineering skill was applied to make the spam messages look like they were sent by trusted companies like Facebook, Amazon and PayPal.
The '!XTPLOCK5.0 File Extension' Ransomware may be a Successor to the MadLocker Ransomware
In-depth analysis of the code underneath the '!XTPLOCK5.0 File Extension' Ransomware brand lead to interesting discoveries. Security researchers noted that the '!XTPLOCK5.0 File Extension' Ransomware uses the same naming scheme as the MadLocker (ak.a. DMALocker) Ransomware and self-destruct mechanism. When the '!XTPLOCK5.0 File Extension' Ransomware completes the encryption process, it is programmed to delete its files and drop a ransom note named 'cryptinfo.txt' to the victim's desktop. The encryption engine of the '!XTPLOCK5.0 File Extension' Ransomware is known to combine the AES and RSA ciphers to lock file objects across local and network drives. Usually, the primary executable of threats like the JohnyCryptor Ransomware and the APT Ransomware can be found in the hidden Temp folder. Therefore, the '!XTPLOCK5.0 File Extension' Ransomware might run as and executable with a random name within that directory. Corrupted data containers are reported to carry the '!XTPLOCK5.0' extension and you may not be able to access information stored in the following formats:
.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD,.WMV, .XLS, .XLSX, .XPS, .XML, .CKP, ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.
The '!XTPLOCK5.0 File Extension' Ransomware does not Trigger a UAC Prompt and Runs with Limited Privileges
The '!XTPLOCK5.0 File Extension' Ransomware functions as an Encryption Trojan that can block the UAC (User Account Control) notification and run on guest accounts as well. The encryption process does not require a lot of system resources, and users may notice intense read/write activity on their drives. As stated above, the note comes as 'cryptinfo.txt' and provides a concise message. The operators of the '!XTPLOCK5.0 File Extension' Ransomware follow the standards set by threats like the CryptoWall Ransomware and direct the victim to create a Bitcoin wallet. The next step is to purchase 2 BTC from services like localbitcoins.com and coinbase.com. Victims are welcomed to pay around 1270 USD for the decryption software that can return their files back to normal. The note reads as follow:
'Attention! ! !
All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted!
Stay calm.
You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency in order to receive a decryption key.
In order to purchase Bitcions you can use www.coinbase.com
After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress:
[34 random characters]
After payment contact us to receive your decryption key. In mail title write your unique ID: [23 bytes long ID]
Our e-mail: crypt302@gmx.com'
Decryption Service should not be Expected from the Makers of Ransomware
Experts advise against making payments to the '!XTPLOCK5.0 File Extension' Ransomware and contact with crypt302@gmx.com. The coders behind the crypto malware are not likely to deliver a working decryptor since their aim is to extort you for money. Decryption service should not be expected from the makers of threats like the '!XTPLOCK5.0 File Extension' Ransomware and the Globe Ransomware because they are con artists at the end of the day. Security experts recommend users to install a reliable anti-malware tool that can purge the '!XTPLOCK5.0 File Extension' Ransomware from your machine. Next step is to use clean backups from removable media like USB thumb drives, CD/DVD disks and portable HDD storage. Moreover, services like Google Drive and Dropbox might prove invaluable when restoring your data structure from an attack with the '!XTPLOCK5.0 File Extension' Ransomware. These backups should allow you to recover comparatively fast and you should backup your files regularly to secure your information.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.