LTS Secure Warning: How to remove Xorist Ransomware

Xorist is a Ransomware type virus created using Encoder Builder v.24 from to lock victim’s data. It emerged in 2016, but, during the past two years, the malware has received several updates. Currently, there are about 12 different versions of the virus. All members of this ransomware family have been using the same encryption strategy to lock files on the targeted machine.

Typically, they rely on XOR or TEAcryptography, but each version might append unique file extension and delivers a ransom note in the text file where victims are asked to transfer a specific amount of Bitcoins for data recovery.

Technical Details

When all data are locked, it delivers a ransom note in the same READ ME FOR DECRYPT.txt. file, where victims are asked to contact them via and pay 0.8 Btc for Cerber decryption software. However, paying the ransom is not recommended. It’s clear that the creators of malware are just trying to make as much illegal money as possible by developing new versions of the same virus.


Variants of Xorist Ransomware:

  • Team Xrat Ransomware: This version has been discovered on August 2016. Mostly targeted Portuguese computer users. The virus encrypts files with RSA-2048 encoding system and hides the decryption key. To the encrypted files, malware appends .C0rp0r@c@0Xr@ file extension and delivers a ransom note “Como descriptografar seus arquivos.txt.”
  • XPan Ransomware: Malware emerged in September 2016. It uses AES-256 encryption and appends either .____xratteamLucked and .one file extensions. The unique feature of the ransomware is that after infiltration it check the default language of the computer.
  • Zixer2 Ransomware: This variant of the Xorist uses Tiny Encryption Algorithm and appends .zixer2 file extension.
  • Imme Ransomware: Malware uses XOR encryption algorithm and appends .imme or .imme.teras.completecrypt file extensions.
  • AvastVirusinfo Ransomware:  This variant aims at Russian-speaking computer users. It appends .[8 random chars] extension to each of the targeted file and installs a ransom note called “??? ???????????? ?????.txt,”
  • Crypto1CoinBlocker Ransomware: Malware uses RSA-2048 cryptography to encode files on the affected computer. When all files are encrypted, ransomware delivers a pop-up window with a ransom-demanding message. The same data recovery instructions are provided in the HOW TO DECRYPT FILES.txt file too.
  • Hello Ransomware: It’s the recent variant of Xorist malware that emerged in August 2017. Malware spreads and is executed from the iji.exe file. Once this file is run on the system, it starts scanning the system and looking for the targeted files. To all of the encrypted data it appends .HELLO file extension.
  • Cerber Ransomwar: Despite the reference to the notorious Cerber Ransomware, the malware happens to be another version of Xorist virus.
  • Cryptedx Ransomware:  This is the newest version of Xorist crypto-malware. The virus is already detected by 53 security software vendors as dawdawd.exe. Fortunately, just like previous its versions, it can be decrypted with the help of Emsisoft decrypter.
  • Xorist-Frozen Ransomware: Xorist-Frozen is the latest Xorist Ransomware version that has been detected at the beginning of February 2018. According to the latest reports, the Xorist-Frozen is very similar to its predecessors. It uses XOR file encryption algorithms and creates a HOW TO DECRYPT FILES.txt ransom note. Currently, the file extension appended to the encrypted files is not known.
  • Xorist-XWZ Ransomware: Xorist-XWZ is the newest version of the Xorist ransomware family. It has been detected in the second half of March 2018 by a group of ransomware researchers. This variant uses XOR encryption algorithm to render personal victim’s files useless.

Recommended Actions

Cyber criminals use various techniques to spread this virus, such as malicious spam emails malvertising, fake or illegal downloads, etc. However, by following a few simple rules, you can reduce the risk of getting a computer virus.

  • Never open emails that come from unknown senders.
  • Avoid reading emails that fall into “Spam” category.
  • Do not click on suspicious content while you browse the Internet.
  • Download files only from trustworthy web sources. Besides, you should save them to your computer system instead of running/opening them immediately.
  • Backup your files.
  • Protect your computer with a trustworthy anti-spyware or anti-malware software.

To know more, click on the link.


LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013