Xpan Ransomware Removal Guide

Do you know what Xpan Ransomware is?

Xpan Ransomware appears to be a new malicious application from the hackers who call themselves TeamXRat or CorporacaoXRat. Our specialists say they are the same cyber criminals who already brought us another file-encrypting malware known as Xorist Ransomware. However, it looks like the newer application is much more complex than Xorist Ransomware, although there are some similarities between them. If you wish to know what we have in mind, we encourage you to read the rest of our report as we will tell you all there is to know about this recently created infection. What’s more, anyone whose computer was infected can try to erase the threat manually with the removal guide placed below, although we should warn you the task could be difficult, so it might be easier and safer to use a reputable antimalware tool.

Currently, the malicious application seems to be targeted at various corporations and companies. It was reported the hackers behind Xpan Ransomware might simply try to brute-force the targeted computer’s password or use Remote Desktop Protocol to connect to chosen device remotely. Once they have access to the system, the cyber criminals can manually disable the computer’s security tool leaving the device defenseless. Then all that is left to do is drop the malware’s launcher and open it. So far it is difficult to say if the infection’s creators are planning on distributing it among computer users, though it is possible they could continue to target only corporations.

Unlike the mentioned Xorist Ransomware that was coded in Assembly language and used Tiny Encryption Algorithm, Xpan Ransomware was coded in C++ language, and it uses a more secure encryption algorithm called AES-256. Also the malware can affect a wide range or different file types except the ones with .exe, .dll, .lnk, .bat, .ini, .msi, or .scf extensions. Enciphered files should obtain an additional ___xratteamLucked extension, which might be added at the end of the title. Afterward, the hackers should drop a document called Como descriptografar os seus arquivos.txt in each directory containing encrypted data. Inside the document, there should be a ransom note telling what to do to unlock the damaged files. The Same information should be provided in a picture that is set as the infected computer’s background.

The ransom note asks Xpan Ransomware’s victims to contact the malware’s creators and get further instructions on how to pay a ransom. Like usual in exchange, the hackers promise to provide decryption tools. Unfortunately, there are no guarantees they will keep up to this promise. Therefore, we would advise the malicious application’s victims to consider such option carefully because when the payment is made, it cannot be undone. As a matter of fact, there might be no need even to consider paying the ransom as the ransomware appears to be decryptable; our researchers report there is a decryption tool available online. If the threat encrypted irreplaceable files it might be worth to try it out; just it would be best to test it on copies first for safety precautions.

Xpan Ransomware might delete itself after encrypting the user’s data, but we cannot be one hundred percent sure about it, so it would be advisable to check the system and take care of the malware in case it remained in the computer. The removal guide placed below will show how to find the infection’s malicious data and how to delete it. The process might appear to be more complicated than expected as the malicious files could have random titles. Because of this, we would recommend using a reliable antimalware tool as it could allow you to complete these tasks automatically.

Eliminate Xpan Ransomware

  1. Press Windows Key+E.
  2. Check the suggested directories one by one:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  3. Look for malicious files with random names that could be related with the infection.
  4. Right-click such data and press Delete.
  5. Erase all ransom notes (Como descriptografar os seus arquivos.txt).
  6. Exit File Explorer.
  7. Empty the Recycle bin.
  8. Reboot the system.

In non-techie terms:

Xpan Ransomware is a serious threat that makes most of the data on the infected system unusable. Unlike many other similar malicious application it might infect the system while using its vulnerabilities, so to guard the device against this malware it is important to update outdated software on the computer and change its password if it is weak or it was not changed for a long time. The threat locks user’s data with a secure cryptosystem, but it seems like IT specialists have already found a way to decrypt it. Thus, it is advisable not to pay the ransom as the cyber criminals demand but search for the free decryption tool. Lastly, we recommend removing the ransomware from the system with the instructions placed above or with a reputable antimalware tool of your choice.