A new ransomware called the XRTN Ransomware is in the wild that encrypts your data with RSA-1024 encryption using the open source Gnu Privacy Guard (GnuPG) encryption software. This ransomware is part of the same family as the VaultCrypt ransomware that we reported on in March. When infected, the user will be shown a HTA document when Windows starts that instructs the victim to contact the email address xrtnhelp@yandex.ru for help. It is currently unknown how much the author is charging for the ransom. At this time there is no way of recovering the decrypt key.

This ransomware is made up of a variety of tools and batch files that perform the encryption of your files. It is installed via a JavaScript file that downloads various files from gusang.vpscoke.com to the victim's computer. The files that are downloaded include GnuPG.exe, a Word document, and a batch file that performs the encryption routine. Once run, the JavaScript installer will download the files, launch the word document and then execute the batch file. The fact that it launches the Word document indicates that this Javascript file is most likely sent out as an email attachment masquerading as a Word document.  An example deobfuscated JavaScript XRTN infector can be seen below.

Cleaned up JS Infector

When the batch file is executed it will generate a RSA-1024 key and scan all drive letters for data files to encrypt. If it finds any data files that match the targeted extensions, it will encrypt them and add the .XRTN extension to them. The file extensions targeted by this ransomware are:

.xls, *.doc, *.xlsx, *.docx, *.pdf, *.rtf, *.cdr, *.psd, *.dwg, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip

During the encryption process, the XRTN ransomware will also delete the shadow volume copies so that the user cannot use them to recover their files. It deletes them by creating and executing a VBS script contain a WMIC command that clears the shadow volumes on the infected computer. This VBS file can be seen below.

VBS File to Delete the Shadow Volume Copies

During the encryption process the batch file will also export the private key that was used to encrypt the data to a file called XRTN.key.  This file will also contain other information such as the user name, computer name, date, the amount of encrypted files, the counts of each type of encrypted extension, and other configuration settings.  The XRTN.key file, which contains the key required to decrypt the victim's files, will then be encrypted with a master public key that is included in the batch file as shown below.

Master Public Encryption Key

The batch file will then execute the cipher /w command on every drive letter in order to overwrite free disk space so that you unable to use file recovery tools. A ransom note will then be displayed that contains instructions to email xrtnhelp@yandex.ru in order to find out how you get your data back.

Ransom Note

My guess is that the developer will request the victim's encrypted XRTN.key file and issue the ransom amount. If the victim pays the ransom, the malware developer can then use their master decryption key to decrypt the victim's XRTN.key file in order to retrieve the victim's unique private decryption key. They can then send this key along with a batch file to decrypt the users files.

Unfortunately, at this time there is no way to decrypt the files for free without first obtaining the master private decryption key, which is known only by the malware developer. As this is not likely to happen any time soon, the only options are to restore your data via backup.

Files associated with the XRTN Ransomware:


Registry entries associated with the XRTN Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\onuntsss	mshta %AppData%\3cnq8256w5rxxavz.hta


Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens