Malware News Kaspersky decrypts Ransomware from TeamXRat

[omidomi]

Kaspersky posted a great article about their TeamXrat Ransomware analysis and how they were able to create a decryptor for its victims. Reported back in mid September in our forums, I and other security researchers were never able to find an actual sample of the malware. It turns out that this was because the ransomware is being manually installed via hacked RDP services and then manually cleaned up after the installation is finished.

Installed via Hacked Remote Desktop Services
According to Kaspersky, this ransomware, which they have named the Xpan Ransomware, is created by a Brazillian cybergang that goes by the name TeamXrat or CorporacaoXRat. This group targets servers and computers running Remote Desktop Services and attempt to brute force passwords to gain access. Once they are able to gain access, they will manually install the ransomware and encrypt the victims data.

Depending on the version of the ransomware, when the files are encrypted they will have the ___xratteamLucked or the ____xratteamLucked extension appended to the filenames. A ransom note will also be created called Como descriptografar os seus arquivos.txt. This file name translates from Portuguese to English as How to decrypt your files.