Rans-A Ransomware is an Xorist Variant Seeking Files for Encryption

During our analysis of malware samples, our team has identified a new type of ransomware known as Rans-A, which belongs to the Xorist family. This ransomware functions by encrypting files and then adding the extension ".Rans-A" to their filenames. The ransomware creates a text file called "HOW TO DECRYPT FILES.txt" and displays an error message, which contains a ransom note.

For example, if the ransomware encrypts the files "1.jpg" and "2.png", it will change their names to "1.jpg.Rans-A" and "2.png.Rans-A", respectively. The ransom note states that all data and backups on the device have been encrypted and can only be retrieved by contacting the provided email address, which is mollyrecup@protonmail.com. The note also indicates that the data can be made accessible again within one hour.

In addition, the ransom note warns the victim not to delete or rename any locked files with the .Rans-A extension and not to share the message on any website. It is important to take precautions to safeguard against ransomware attacks and to regularly back up important data.

Rans-A Uses Ransom Note Written in Portuguese

The full text of the Rans-A ransom note reads as follows:

Todos Dados/Backups foram criptografados
a unica forma de obter os dados em seu perfeito estado é
entrar em contato no Email: mollyrecup@protonmail.com
Dados em perfeito estado em até 1 hora
prazo max para o contato 20/03/2023 12:00 ID-6732
(N = NÂO)

• N delete arquivos trancados
• N não renomeie os arquivos trancados .Rans-A
• N não poste esta mensagem em nenhum site
  nem denuncie pois podem bloquear este email.

How Can Ransomware Like Rans-A Get on Your System?

Ransomware such as Rans-A can infect your system in several ways. Some of the most common methods are:

• Email attachments: Cybercriminals often send phishing emails with malicious attachments that contain ransomware. These attachments may appear legitimate, such as a PDF or Word document, but they actually contain the malware.
• Malicious links: Attackers may also send emails that contain links to malicious websites. When a victim clicks on the link, the ransomware is automatically downloaded onto their computer.
• Exploits: Ransomware can also be delivered through software vulnerabilities or exploits that haven't been patched by the user. This is why it is important to keep your software up to date with the latest security patches.
• Fake software updates: Attackers may create fake software update alerts that trick users into downloading and installing the malware.
• Malvertising: Cybercriminals may also use malvertising, which involves injecting malicious code into legitimate advertisements displayed on websites. When a user clicks on the ad, the ransomware is automatically downloaded onto their system.

To protect yourself against ransomware attacks, it is important to use up-to-date antivirus software, avoid opening suspicious emails and attachments, be cautious of clicking on links from unknown sources, and regularly backup your important data.