Users can recover locked files without paying the ransom

Mar 22, 2016 11:20 GMT  ·  By

Good news for some ransomware victims, as the security researchers working with the Bleeping Computer crew have managed to find a loophole that they can exploit to decrypt files locked by the Xorist ransomware family.

Xorist is a relatively new ransomware variant that was first spotted at the start of the year. Technically, it is a very simple ransomware, less intrusive than Locky, TeslaCrypt or CryptoLocker.

Xorist is distributed as an automatic ransomware builder

What's unique about this threat is the fact that the coder behind it is selling it as an automatic executable builder (pictured below) which allows anyone to generate their own custom version of the ransomware. Those who buy the builder can customize many of Xorist's features, and more importantly the encrypted file extension.

The encrypted file extension is the extra extension added at the end of each file after the ransomware locks it. For Locky, the encrypted file extension is ".locky" which makes it easy to detect.

The Xorist builder, sold to anyone that wants to enter a life of cyber-crime, allows the crook to customize this file extension at will, along with many more other options. The encrypted file extension is important because users and tech support experts google the term to find out what the ransomware's name is.

Xorist ransom payments are handled via SMS

But in the case of Xorist, there's another way to tell that you got infected. Once Xorist arrives on a user's PC and locks his files, he'll leave a ransom note that tells him to send an ID via SMS to a certain phone number.

This is the first sign of a Xorist infection because not many ransomware families use SMS services these days, the majority using Bitcoin and TOR-hosted websites.

The second sign is that to decrypt files, users have to enter the decryption password (received via SMS as a reply) in a popup triggered by the ransomware.

Again, this is another sign of a Xorist infection, mainly because this method is outdated, with most ransomware developers these days providing a standalone decrypter, separate from the main ransomware body, delivered to the user only after the ransomware has been paid.

Be advised not to enter random passwords in this box, since Xorist limits the number of decryption attempts, and you may lose your files forever.

Xorist victims can request help in unlocking files

Xorist can use the TEA (Tiny Encryption Algorithm) or the XOR algorithm to encrypt files, and targets 57 file types by default. Some of the encrypted file extensions seen with Xorist infections these days are .EnCiPhErEd,.73i87A, .p5tkjw, and .PoAr2w, but as mentioned above, all these settings can be tweaked via the builder, and there may be more other people affected by this threat.

The good news is that Fabian Wosar of Emsisoft has managed to find an encryption flaw for Xorist. The bad news is that this is not a general fix-all solution, and users will have to get in contact with him personally. If you're one of the victims, you can request his help via these two forum topics (1, 2).

The Xorist ransomware builder
The Xorist ransomware builder

Photo Gallery (2 Images)

Xorist ransomware can be decrypted
The Xorist ransomware builder
Open gallery