Xorist Ransomware
April 19, 2023
Encoder Builder crypto-constructor
This is a whole family of crypto-ransomware, based on the Encoder Builder crypto-constructor, in which you can set various parameters for the future crypto-ransomware:
- a list of target file extensions for encryption;
- the format of the extension added to encrypted files;
- encryption algorithm (XOR or TEA);
- encryption password;
- the number of attempts to enter the password;
- decryption password;
- Interface language;
- images for the lock screen and wallpaper change;
- adding to the system startup and other features.
The message text areas display the ransom note that will be seen by victims after infection, search masks are the file extensions that are to be searched for encrypting the specific files, *.nnn is the extension that will be appended at the end of the new file name, one can also select their choice of wallpaper and icon.
The final step is to hit the magic button "Create" to generate the binary that will be used to infect the victims. Building a ransomware binary is convenient and can easily be created without requirements of technical skills. The convenience in ransomware production attracted several newbies or buddying cybercriminals to try and send spam/phishing messages with embedded ransomware links or attachment. An additional factor is that the risk involved is significantly less because of the geo-location barrier. All of the mentioned factors lead to ransomware spreading being advertised as a service.
In fact, Xorist has much more than two appearances. Because of the specific ransomware builder, used by Xorist group, this ransomware can change itself so much that it is hard to recognize it. The aforementioned builder is a program that looks like an IDE, but designed specifically for malware creation. It’s logical to suppose that this action is done to make the antivirus tools ineffective against this malware - and they really are. Luckily, cybersecurity analysts succeeded to find this builder example, so the encryption algorithm is known and decryption solutions are present.
Of course, the presence of ransomware builder is a clear sign that says about ransomware-as-a-service (RaaS) model usage. Fraudsters who have created the original ransomware and the builder just sell this stuff to a third party. In this way, they provide themselves with a stable income from RaaS buyers, and also the safety that allows them to keep functioning without any risks.
Xorist ciphering mechanism
Xorist ransomware uses a pretty unusual encryption algorithm. Tiny Encryption Algorithm (shortly TEA) uses a 128-bit key, which is weaker than in AES-256 or RSA-2048, that are used massively by other ransomware families. However, it is still too hard to decrypt by an individual user. Even the most powerful computers, with the Threadripper CPU and SLI-connected RTX 3090Ti GPUs will not bring you a satisfying decryption speed. You will spend about several trillion years, and even quantum computers will not give you much better results.
Technical details
Note | HOW TO DECRYPT FILES.txt. Contains a short message with instructions of ransom payment. |
File Extension | DIVINITY, ARMY, ANONYMOUS, BTCRY_ZIP, GREED, DISTURBED, NIN9, C0DER_HACK, FUUCRY, HACK, MONERO, RAPED, VAPO, MOTION, ZOTON, ZATON, EnCiPhErEd, LYDARK, LOCKERXXS |
Algorithm | TEA (128-bit) |
Features | IDE that allows each distribution group to modify their Xorist variant as they want. |
Damage | Disables Microsoft Defender. Deleted Volume Shadow Copies |
Distribution | Email spam |
After the ciphering, Xorist leaves the single ransom note on your desktop. It is named HOW TO DECRYPT FILES.txt and contains the following information:
Attention! All your files are encrypted! To restore your files and access them, please send an SMS with the text XXXX to YYYY number. You have N attempts to enter the code. When that number has been exceeded, all the data irreversibly is destroyed. Be careful when you enter the code!
Here is the other thing that makes the Xorist ransomware very original. You are about to send the SMS with a certain text on a specified phone number, instead of contacting the crooks via email, as it is usually done. It is not understandable how they avoid being detected by the cellular phone connection. The SMS was used by the predecessors of ransomware - Winlockers. Those viruses were blocking the desktop and asking the ransom for its unlocking. Because this malware type was used in times when emails were not widespread, message on the phone was a single solution.
Fraudsters also warn you that guessing the password will lead to data loss. Well, it could be possible if ransomware was able to manage all system elements, but it doesn’t. Guessing the password will not lead to any effects, but it is better to do something to find the ransomware distributors instead of wasting time. It is a very pleasant act to report the attack to the local authorities that are employed in cyber crimes investigation.
There is a list of extensions that are attacked by Xorist ransomware. You will definitely see all of them encrypted after the attack:
*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3.