XRTN Ransomware Discovered, Currently Undecryptable


Community Manager
Staff member
Oct 23, 2012
XRTN has lots of similarities with VaultCrypt
Cyber-criminals are busy bees and are always churning out new malware on a regular basis. Today, the first report on the XRTN ransomware family has surfaced, courtesy of Bleeping Computer's Lawrence Abrams.

According to the researcher, XRTN is very similar to the VaultCrypt ransomware, that first appeared last March. The familiarity resides in the fact that both ransomware families use an RSA-1024 encryption method and rely on the GnuPG software to do all the heavy encryption.

XRTN ransomware delivered via JavaScript, posing as a Word document
Infection occurs via documents received as email attachments. As Mr. Abrams explains, the ransomware, when it executes, it uses JavaScript commands to connect to the gusang.vpscoke.com server. From here it downloads a Word file, the GnuPG.exe file, and a Windows batch file.

Immediately after the download completes, the JS file also makes sure to launch the Word document it just downloaded. This is a sneaky tactic, in which attackers are covering their tracks. As Mr. Abrams speculates, the email attachment may be posing as a Word document, but may truly be a JavaScript file.

A similar JS-based technique is also used in recent versions of the TeslaCrypt ransomware, which booby-traps ZIP files with JavaScript instructions that get executed when the file is decompressed, effectively installing the ransomware.
XRTN uses batch files to encrypt data files
Additionally to launching the Word document, the JS file also instructs the infected computer to run the batch file it just downloaded.

Inside this file is where most of the damage is done, containing instructions on how to encrypt the user's files and manage the encryption keys.

When executed, the batch file will look for data files with special extensions, encrypt them, and add the .xrtn extension at the end (hence the ransomware's name: XRTN). Currently the ransomware targets file extensions such as: .xls, .xlsx, .doc, .docx, .pdf, .rtf, .cdr, .psd, .dwg, .cd, .mdb, .1cd, .dbf, .sqlite, .jpg, and .zip.

XRTN uses a local encryption inventory, does not employ a remote C&C server
All files are encrypted with an RSA-1024 key, and all details about encrypted files, along with the decryption key are stored in the XRTN.key file.

Unfortunately, things aren't as simple as you'd think. The XRTN.key file is also encrypted with a master key stored in the batch file. For users to decrypt the XRTN.key and get the decryption key for their files, they'll need a so-called private key (for the master key), which only the attacker has.

After the file encryption process ends, the ransomware leaves a ransom note telling the user he needs to email xrtnhelp@yandex.ru to decrypt his files. The ransom note does not include any details about how much money the hacker is asking for the private key.

Files can be recovered by paying ransom or using an older backup
Additionally, an HTA document is also shown to users every time they boot up their computer, as a reminder of the infection.

Because the XRTN ransomware deletes shadow volume copies and also runs a batch command that overrides free disk space, using standard HDD file recovery tools won't help the user recoup his data, unless he has access to full drive backups.

Currently, besides contacting the ransomware's author, there's no way to remove XRTN from infected computers.