Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Team XRat Ransomware Help and Support Topic - .C0rp0r@c@0Xr@ Extension


  • Please log in to reply
17 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,273 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:23 AM

Posted 16 August 2016 - 09:13 PM

A new Xorist ransomware has been released called Team XRat that targets Portuguese speaking victims.  When infected, the XRat Ransomware will encrypt your data and append the .C0rp0r@c@0Xr@ extension to encrypted files. It will then display a ransom note called Como descriptografar seus arquivos.txt.

 

The XRat Ransomware will also change your wallpaper to a picture of Anonymous that tells victims to email corporacaoxrat@protonmail.com for payment instructions.

 

If your files have the .__xratteamLucked (x2 underscores) or .C0rp0r@c@0Xr@ extension, your files can be decrypted using Emsisoft Xorist Decryptor.

If your files have the .___xratteamLucked (x3 underscores) and .____xratteamLucked (x4 underscores), your files can be decrypted by Kaspersky (see the bottom of the article)

 

 

team-xrat-wallpaper.jpg


Edited by xXToffeeXx, 30 September 2016 - 03:00 AM.
Updated~


BC AdBot (Login to Remove)

 


m

#2 xavulso

xavulso

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 17 August 2016 - 01:34 PM

Hello, i have this ransomware in my computer, all files are encrypted and extension changed to .C0rp0r@c@0Xr@t.  

Don't execute correctly this decrypt xorist, it show a message

 

"The decrypter could not determine a valid key for your system. please drag and drop both an

encryted file as well as its unencrypted counterpart onto the decrypter to determine the
correct key. files need to be at least 510 bytes long."
 
Need help


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,273 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:23 AM

Posted 17 August 2016 - 02:09 PM

Did you do what it asked? Take an encrypted file and an unencrypted version of the same file and drag them both on to the decryptor icon?



#4 xavulso

xavulso

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 18 August 2016 - 06:15 AM

Thank's bro, the process starting.



#5 xavulso

xavulso

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 23 August 2016 - 08:11 AM

Hello, this ransomware as decryted sucessfull.

 

But now, the new ransomware in my network this "id-A8955C4D.legioner_seven@aol.com.xtbl"

 

Need help, exists any decryptor for it?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 AM

Posted 23 August 2016 - 09:46 AM

Hello, this ransomware as decryted sucessfull.

 

But now, the new ransomware in my network this "id-A8955C4D.legioner_seven@aol.com.xtbl"

 

Need help, exists any decryptor for it?

 

That one is CrySiS, which has no solution for it at this time.

 

http://www.bleepingcomputer.com/forums/t/614334/crysis-ransomware-emailcrysis-extension-support-and-help-topic/

 

You should really work on securing your network if you were hit by two ransomwares in such a short amount of time, also make sure you have backups.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 xavulso

xavulso

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 23 August 2016 - 12:51 PM

This link don't open.

 

"Sorry, we couldn't find that!"



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 AM

Posted 23 August 2016 - 01:06 PM

Ah, sorry about that. I've updated my link from ID Ransomware. Some topics got moved around when separating the confusion of CrySiS vs Shade.

 

I see you found the topic, but here's the link anyways for future users seeing this post.

 

http://www.bleepingcomputer.com/forums/t/607680/crysis-extensionid-numberemailxtblcrysis-ransomware-support-topic/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 cl3b3r

cl3b3r

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 15 September 2016 - 06:42 AM

Hi, I need help friends...

 

a friend was infected with *.___xratteamLucked.

 

TI Support was been formated the server and backup only files encrypted.

 

I´have files crypted  and to private key and public key, because they paid the rescue.. but the softwares send to descrypted not working!

 

Please, someone analyse the files of cloud below:

https://1drv.ms/f/s!AuRDNaAz8F5dglFaxeSntRx4Eo0D

 

Thx..



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 AM

Posted 15 September 2016 - 08:20 AM

Hi, I need help friends...

 

a friend was infected with *.___xratteamLucked.

 

TI Support was been formated the server and backup only files encrypted.

 

I´have files crypted  and to private key and public key, because they paid the rescue.. but the softwares send to descrypted not working!

 

Please, someone analyse the files of cloud below:

https://1drv.ms/f/s!AuRDNaAz8F5dglFaxeSntRx4Eo0D

 

Thx..

 

We believe the .___ variant (three underscores) is actually not Xorist. We will need a sample of the malware that caused the encryption in order to analyze.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 cl3b3r

cl3b3r

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 15 September 2016 - 09:53 AM

files avaliable in cloud:

 

https://1drv.ms/f/s!AuRDNaAz8F5dglFaxeSntRx4Eo0D

 

 

at where, Relat.rar___xratteamLucked is sample of the malware;

 

 

No?

 

Thx a lot.



#12 cl3b3r

cl3b3r

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 16 September 2016 - 06:45 AM

Good News.

 

Update files in the clound -> https://1drv.ms/f/s!AuRDNaAz8F5dglFaxeSntRx4Eo0D

 

I need Help..

 

Thx.


Edited by cl3b3r, 16 September 2016 - 12:25 PM.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 AM

Posted 16 September 2016 - 08:21 AM

No, we need the malware, not encrypted files. Did you open an attachment from an email, download something from a website, etc.? Check your downloads, find the source, or scan with MalwareBytes and HitmanPro to find the virus.

 

Did you pay the ransom, and is DESCRYPTADOR.exe the decrypter the criminals provided you? I'm not sure what format the public and private keys are, they look too long to be asymmetric (e.g. RSA).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 cl3b3r

cl3b3r

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 16 September 2016 - 12:22 PM

Hi Demonsaly335, not have a malware.. sorry!

 

I have the files only in the cloud.

 

Yes, the DESCRYPTADOR.EXE is the decrypte the criminals provided for me.

Its descrypte files  small files such as backup_madrugada.bat, but file large, not working!

 

Sorry, new files again -> https://1drv.ms/f/s!AuRDNaAz8F5dglFaxeSntRx4Eo0D


Edited by cl3b3r, 16 September 2016 - 12:25 PM.


#15 felipecarv

felipecarv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 26 September 2016 - 07:41 PM

Hi people.

 

I have the .___ratteamLuked variation of this malware.

 

I tried to use Emisoft Xorist Decryptor but nothing happens.

 

Im sendin a link to an encrypted and unencrypted file. 

 

Thanks in advance. 

 

https://dl.dropboxusercontent.com/u/24606832/Files.rar






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users