Decryption for Xorist Ransomware is found

Xorist is a ransomware that is quite often seen in ransomeware infected cases recently. Well, good news for those who are affected by this ransomeware. Researchers at Bleepingcomputer found a loop hole in the encryption using which they can decrypt the files affected.

Coming to the history, Xorist is a new ransomware that was first spotted early this year. Xorist encryption is not as complex as Locky, TeslaCrypt or CryptoLocker.

The worst part of it is that the builder behind the ransomeware is selling it as an automatic executable builder. This means anyone with a criminal mind can buy it and customize it to make their own custom version of ransomeware. Those who buy the builder can customize many of Xorist’s features, and more importantly the encrypted file extension. This encrypted file extension is nothing but an extension added at the end of each file that was encrypted by Xorist. The encrypted file extension is “.locky” which is fairly easy to locate.

Without any limitations, Xorist builder sold to anyone that wants to enter a life of cyber-crime, allows the criminal to customize this file extension at will, along with many more other options. The encrypted file extension is important because users and tech support experts google the term to find out what the ransomware’s name is.

Xorist Ransomeware builder

How to Identify that you are infected by Xorist ?

In case of many ransomewares user does not know what attacked them.There are some ways to detect if you are affected by ransomeware. Once Xorist attacks a user’s PC and locks his files, he’ll leave a ransom note that tells him to send an ID via SMS to a certain phone number.

This is the first sign of a infection as most of ransomwares families do not use SMS services these days. They either use Bitcoin or  Tor-hosted websites.

The second sign is that in order to decrypt files, users have to enter the decryption password (received via SMS as a reply) in a popup triggered by the ransomware. This is another sign as this method is outdated.

Get help to unlock files

Xorist can use the TEA (Tiny Encryption Algorithm) or the XOR algorithm to encrypt files, and targets 57 file types by default. Some of the encrypted file extensions seen with Xorist infections these days are .EnCiPhErEd,.73i87A, .p5tkjw, and .PoAr2w, but as mentioned above, all these settings can be tweaked via the builder, and there may be more other people affected by this threat.

The good news is that Fabian Wosar of Emsisoft has managed to find an encryption flaw for Xorist. The bad news is that this is not a general fix-all solution, and users will have to get in contact with him personally. If you’re one of the victims, you can request his help via these two forum topics (1, 2).