XHAMSTER Ransomware


The XHAMSTER ransomware is a strain of file-encrypting malware that is believed to belong to the Phobos family.

The XHAMSTER ransomware will encrypt victim files once on the system and will make them unreadable. Encrypted files retain their original filenames, but get a multi-component extension appended to them. The newly added extension contains the ID string assigned to the victim, the hackers' ICQ username and .XHAMSTER at the very end. In this way, a file previously called "document.doc" will transform into "document.doc.id[alphanumeric string].[ICQ@xhamster2020].XHAMSTER.

The hackers exploiting the XHAMSTER ransomware seem to use the now-obsolete ICQ client and victims will need to use the software in case they want to get in touch. This likely allows them to fly under the radar as the program and platform are deprecated and very old.

Once the ransomware encrypts files, it displays a pop-up window containing the ransom note and drops it inside a file named "info.txt" as well. The pop-up window displays a .hta file with a slightly different version of the ransom note text. The info.txt ransom note reads as follows:


Unfortunately for you, a major IT security weakness left you open to attack.

All your files have been encrypted with ciphers more advanced than those used for diplomatic communications.

You can spend days and months searching for a magical way to decrypt your files, but rest assured we are the only people who can help you recover your files, there is no free tool.

If you want to restore files, install ICQ software on your PC here hxxps://icq dot com/windows/ or on your mobile phone search in Appstore / Google play market "ICQ"

Write to our ICQ @xhamster2020 hxxps://icq dot im/xhamster2020

Write file ID in the title of your message

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 3Mb and files should not contain valuable information.


Do not rename encrypted files.

Do not try to decrypt your data using third-party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There is currently no decryption tool for the XHAMSTER ransomware and the only way to recover scrambled files remains a backup drive or other forms of offline storage.

May 4, 2022