Xiaoba Ransomware Removal Guide

Do you know what Xiaoba Ransomware is?

Xiaoba Ransomware is a malicious program developed for money extortion. It is believed the malware is targeted at China since it displays messages in the Chinese language, although some of them are available in English as well. According to our researchers, the described messages should show up only when the infection finishes its primary task which is enciphering various user’s files with a strong cryptosystem. As a result, the files become unreadable and so the user should be unable to open them. Further, in the article, we will tell more details that could help victims identify Xiaoba Ransomware. Also, we would like our readers to know there will be a removal guide at the end of the text. It may help you eliminate the malicious program manually, but if it does not work, it would be best to leave this task for a reputable antimalware tool of your choice.

It is said Xiaoba Ransomware could come with malicious software installers or Spam emails. Thus, one way or the other the computer should get infected after launching some suspicious file. At first, the malware is supposed to create a few files and Registry entries to settle in on the infected device. For instance, it might generate a value name called XiaoBa in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run directory. According to our researchers, this data may allow the threat to launch itself with the operating system automatically. It means you might be welcomed with the malicious program’s window each time you turn on the device unless you get rid of it. The mentioned Registry key and all other data related to the threat will be listed in the removal guide.

Next, we would like to talk about what happens during the encryption process. Our researchers say the malware should encipher user’s personal data with secure RSA and AES cryptosystems. Later, every damaged file’s extension should be replaced with the malicious program’s extension that consists of .XiaoBa and a random number from one to ten at the end of it, for example, picture.XiaoBa1, video.XiaoBa7, etc. Then, Xiaoba Ransomware should replace your Desktop with a black picture showing a message from the cyber criminals who created the malware or the so-called ransom note. Besides the Desktop picture, the ransom note can also be found on file called _@Explanation@_.hta and on the infection’s window which should be opened right after the encryption process. According to it, the only way to restore the enciphered data is to pay the ransom, but you should keep it in mind the hackers cannot be trusted, and there are no guarantees they will do as they promise.Xiaoba Ransomware Removal GuideXiaoba Ransomware screenshot
Scroll down for full removal instructions

If paying the ransom does not look like a smart idea to you, we encourage you not to put up with any demands and get rid of Xiaoba Ransomware instead. The removal guide placed below could help you erase the infection manually, although we cannot guarantee it will do so to all of our readers. Nonetheless, if the deletion part appears to be too complicated, you can always employ a reputable antimalware tool and let it deal with the threat. Such a tool might be helpful in the future as well since it could guard the device against other malicious programs.

Erase Xiaoba Ransomware

  1. Click Ctrl+Alt+Delete.
  2. Open Task Manager.
  3. Pick the Processes tab.
  4. Look for a process belonging to the threat.
  5. Select it and click the End Task button.
  6. Leave Task Manager.
  7. Press Windows Key+R.
  8. Type Regedit and click OK.
  9. Navigate to this particular location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  10. Find a value named called XiaoBa; its value data is supposed to say PathToFile.
  11. Right-click the described value name and press Delete.
  12. Go to this location: HKEY_CURRENT_USER\Control Panel\Desktop
  13. Find a value name called Wallpaper; its value data might say C:\Windows\{*Chinese characters}.bmp, right-click it and select Modify.
  14. Replace the given path with a path to a picture you like and press OK.
  15. Close Registry Editor.
  16. Press Windows Key+E.
  17. Check the following paths:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  18. Search for the infection’s installer.
  19. Right-click it and choose Delete.
  20. Locate the listed paths:
    %USERPROFILE%\Desktop
    %HOMEDRIVE%
  21. Find files called _@Explanation@_.hta and _@XiaoBa@_.bmp.
  22. Right-click the mentioned files separately and press Delete.
  23. Go to: %TEMP%
  24. Right-click and Delete the listed data:
    Chinese Simplified.txt
    Chinese Chinese Traditional.txt
    English.txt
  25. Navigate to: %WINDIR%
  26. Find the malware’s picture ({*Chinese characters}.bmp), right-click it and select Delete.
  27. Close File Explorer.
  28. Empty Recycle bin.

In non-techie terms:

Xiaoba Ransomware could be encountered by users living in China. The cyber criminals behind it seek to damage your data to take it as a hostage and then demand to pay a ransom in exchange for their restoration. Even if the asked sum may seem worth to be paid for the enciphered files, users should not forget there are no guarantees the hackers will hold to their end of the deal. To put it more simply, you might be left with no personal data and less money than you had before. To those who would not like to risk their money, we recommend erasing the malware with the removal guide available above or a reputable antimalware tool. Later the enciphered files could be restored if the user has any copies of it on removable media devices. There is also hope volunteer IT specialists could create a free decryption tool, so it might be a good idea to check it from time to time.