The Xorist family of ransomware is starting to be seen quite often in support requests in our Security Forums. This family of computer infections is built using a builder that allows a potential malware distributor to easily create their own customized version of the ransomware.  The problem is that the encrypted file extensions, the targeted files, and the ransom note messages are easily customized and thus it makes it harder for a victim to find help related to their particular build. For example, we have seen variants of this ransomware that have used the EnCiPhErEd,.73i87A, .p5tkjw, and .PoAr2w encrypted file extensions. I am sure there are many more out there.

The good news is that Fabian Wosar of Emsisoft was able to find the builder and create a decrypter for this family of infections. If you find that you are infected with what appears to be a Xorist ransomware variant, you can post in one of the topics below to receive help decrypting your files for free.

HOW TO DECRYPT FILES.TXT (.73i87A, .p5tkjw, PoAr2w extensions) Support Topic

.EnCiPhErEd Ransomware Support and Help Topic

If you want to learn more about how the Xorist ransomware variants are created, you can read below.

Building your own Ransomware

Making your own Xorist ransomware executable is very easy as long as you have the builder. This builder is currently called the Encoder Builder v.24 from [Pastorok] and is most likely purchased by would-be criminals from darkweb malware and exploit forums.  Once a person has the builder they simply have to run it and select what options they want to use in their version of the ransomware.  Once they have configured it properly, they simply click a button and the customized ransomware executable is created for them.  It is now up to the builder to figure out how this infection will be distributed.

Xorist Ransomware Builder
Xorist Ransomware Builder

As you can see from the above image, creating your very own ransomware using the builder is very easy. You simply select the various options you wish to use and click on the Create! button. The builder will then prompt you as to where you wish to save the executable and then the builder can distribute it as they wish.

By default, the builder is configured to use a standard ransom note message where a victim is instructed to send a SMS text containing a special ID to a designated number.  As each build of this ransomware utilizes the same password for every victim, the developer can use the associated ID to determine what password to send the victim once a payment has been made.

A victim would then take this password and enter it into the prompt by the ransomware, and if its correct, the ransomware will decrypt the encrypted files.

Password Prompt
Password Prompt

By default the encryption used for this variant is TEA, the password is 4kuxF2j6JU4i18KGbEYLyK2d, and the encrypted file extension is .EnCiPhErEd. The default ransom note, HOW TO DECRYPT FILES.txt, for this infection will state:

Attention! All your files are encrypted!
To restore your files and access them,
please send an SMS with the text XXXX to YYYY number.

You have N attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!

The default extensions targeted by this ransomware are:

*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3

The features that can be customized by this builder include:

  • Ransom note text
  • Encrypted file extension
  • Targeted File Extensions
  • Amount of password attempts per running of the infection
  • Whether to display a messagebox after the infection has encrypted the victim's files.
  • The encryption algorithm (TEA or XOR)
  • The decryption password.
  • The icon to use for the malware executable.
  • Whether to change the wallpaper
  • If it should start automatically
  • Whether it should generate ransom notes in each folder
  • If it should be packed with UPX.

For the most part, this ransomware is not a very sophisticated infection. The problem is that due to its easy to use builder, anyone can become a distributor in a second to try and cash in on this giant ransomware market.  

Files added by Xorist:

%Temp%\[random].exe
%UserProfile%\Desktop\HOW TO DECRYPT FILES.txt