xCor Ransomware Locks Victim Systems

ransomware

xCor is a form of ransomware created with the intention of encrypting files, altering their names by adding the victim's ID, xcorp@decoymail.mx email address, and appending the ".xCor" extension. This malicious software presents two ransom notes, one in the form of a pop-up window and the other as an "info.txt" file. Our team came across xCor during our investigation of malware samples.

Furthermore, our findings revealed that xCor is associated with the Dharma ransomware family. To illustrate how this ransomware manipulates filenames, it takes a file like "1.jpg" and transforms it into "1.jpg.id-1E857D00.[xcorp@decoymail.mx].xCor", similarly altering other files such as "2.png" to "2.png.id-1E857D00.[xcorp@decoymail.mx].xCor", and so on.

The ransom note notifies victims that all of their files have been encrypted. However, it also offers reassurance that the files can be restored. Victims are given instructions to contact the attackers via email, either through xcorp@decoymail.mx or whisper@mailfence.com.

Additionally, the note states that the attackers provide a guarantee of free decryption for up to three files, serving as a demonstration of their ability. Certain limitations are placed on the files eligible for decryption, including size restrictions (less than 3Mb) and content restrictions (such as excluding valuable information like databases or backups).

Lastly, victims are issued two warnings. First, they are strongly advised against renaming the encrypted files. Second, they are discouraged from attempting to decrypt the data using third-party software, as doing so may lead to permanent data loss.

xCor Ransom Note Presented in Two Formats

The longer version of the xCor ransom note reads as follows:

All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: xcorp@decoymail.mx YOUR ID 1E857D00
If you have not answered by mail within 12 hours, write to us by another mail:whisper@mailfence.com
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can Ransomware Like xCor Infect Your Computer?

xCor and similar ransomware can infect your computer through various means. Here are some common methods used by ransomware to infiltrate systems:

  • Email Attachments: One common way ransomware spreads is through malicious email attachments. Cybercriminals often send emails that appear legitimate and convincing, containing infected attachments such as PDFs, Word documents, or executable files. If you unknowingly download and open such attachments, the ransomware can be activated and start encrypting your files.
  • Phishing Emails and Websites: Ransomware can also be distributed through phishing emails or fake websites. Phishing emails are designed to deceive recipients into clicking on malicious links or downloading infected files. Similarly, fake websites may prompt you to download software updates or enter personal information, but instead, they deliver ransomware to your system.
  • Exploit Kits: Ransomware can exploit vulnerabilities in outdated software, operating systems, or web browsers. Exploit kits are malicious tools that scan computers for security weaknesses and deliver ransomware payloads to exploit those vulnerabilities. It is crucial to regularly update your software and use reliable security patches to minimize the risk of exploitation.
  • Malvertising: Malicious advertising, or malvertising, involves the injection of malicious code into legitimate online advertisements or websites. By simply visiting a compromised website or clicking on an infected advertisement, ransomware can be inadvertently downloaded onto your computer without your knowledge.
  • Remote Desktop Protocol (RDP) Attacks: Ransomware attackers sometimes target computers with exposed Remote Desktop Protocol. If they successfully exploit weak or easily guessed login credentials, they gain unauthorized access to the system and deploy ransomware.
  • Drive-by Downloads: Drive-by downloads occur when visiting compromised websites that have hidden malicious code. Simply visiting these websites can trigger the automatic download and installation of ransomware onto your computer.
May 30, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.