xDec Ransomware Locks Victim Drives

While examining new malware samples, we came across xDec, a type of ransomware linked to the Phobos family. This malicious software encrypts files, alters their filenames, and displays two ransom notes named "info.txt" and "info.hta". Additionally, xDec ransomware appends the victim's ID, an email address, and the ".xDec" extension to filenames.

For instance, it changes "1.jpg" to "1.jpg.id[9ECFA84E-3449].[x-decrypt@worker.com].xDec", "2.png" to "2.png.id[9ECFA84E-3449].[x-decrypt@worker.com].xDec", and so on. The ransom note notifies the victim that their files have been encrypted due to a security issue with their computer. It provides the email address x-decrypt@worker.com for the victim to contact to begin the process of file restoration. The note specifies that the victim should include a specific ID in the subject line of their message.

If there is no response within 24 hours, the victim is instructed to contact another email address, x-decrypt@hackermail.com. The note explains that payment for decryption must be made in Bitcoins and that the decryption cost varies depending on how quickly the victim contacts the attackers.

To reassure the victim, the note offers free decryption of up to three files, with specific restrictions on file size and content. It warns against renaming encrypted files or trying to decrypt them using third-party software, as doing so may lead to permanent data loss or an increase in the decryption cost.

xDec Ransom Notes in Full

The brief version of the ransom note generated inside "info.txt" reads as follows:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: x-decrypt@worker.com.
If we don't answer in 24h., send e-mail to this address: x-decrypt@hackermail.com

The fuller version of the note inside the pop-up window goes as follows:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail x-decrypt@worker.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:x-decrypt@hackermail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins

You can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can You Best Protect Your Data from Ransomware?

Protecting your data from ransomware requires a multi-layered approach that combines both preventive measures and proactive strategies. Here are some effective ways to safeguard your data:

Regular Backups: Regularly back up your important files and data to an external storage device or a secure cloud service. Ensure that your backups are stored offline or in a separate location from your main systems to prevent them from being encrypted by ransomware.

Update Software: Keep your operating system, antivirus software, and all other applications up to date with the latest security patches and updates. Ransomware often exploits known vulnerabilities in outdated software, so timely updates can help prevent infections.

Use Antivirus/Anti-Malware Software: Install reputable antivirus or anti-malware software on all your devices and keep it updated. These programs can detect and remove ransomware before it can encrypt your files.

Enable Firewall: Activate and properly configure firewalls on your network to monitor and control incoming and outgoing traffic. Firewalls can block unauthorized access attempts and help prevent ransomware from infiltrating your systems.

Restrict User Permissions: Limit user permissions to only what is necessary for their roles. This can prevent ransomware from spreading across your network by restricting the ability of malicious software to access and encrypt files.

Monitor Network Activity: Use network monitoring tools to track and analyze network traffic for any signs of suspicious activity or unauthorized access. Early detection can help prevent ransomware from spreading and causing extensive damage.

Deploy Email Filtering: Implement email filtering solutions to automatically detect and quarantine phishing emails and malicious attachments before they reach users' inboxes. This can significantly reduce the risk of ransomware infections via email.