What is Xorist-Frozen ransomware? And how does it carry out its attack?
Xorist-Frozen ransomware is another new file-encrypting threat derived from the Xorist ransomware group. This customized version of Xorist is made by an unknown group of hackers and is being distributed on computer users all over the world. This new variant seems to be similar to its predecessor and the only noticeable differences are the extension used in marking the encrypted files and the email address used by the crooks.
Xorist-Frozen ransomware carry out its attack in a typical ransomware way where it scans the infected computer for files to encrypt. According to researchers, these file types may be:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Once files with the aforementioned extensions are found, Xorist-Frozen ransomware encrypts them using the same encryption algorithm used by the Xorist ransomware group which is the XOR cipher. When it’s done encrypting the targeted files, it appends the .Files-Frozen-NEED-TO-MAKE-PAYMENT-FOR-DECRYPTOR-OR-ALL-YOUR-FILES-WILL-BE-PERMANENTLY-DELETED extension on each one of the affected files. It then drops its ransom note named HOW TO DECRYPT FILES.txt which contains a message that says:
“All your important files were FROZEN on this computer.
Encryption was produced using unique KEY generated by this computer.
For decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 36 hours after encryption completed.
REMEMBER YOU HAVE ONLY 24 HOURS TO PAY EVERYTHING IS AUTOMATICALLY!
To retrieve the private key, you need to pay 0.5 bitcoins
Bitcoins have to be sent to this address: 3N8FxD8y3AKKPZaUBuypw55YYSswmECPxh
After you’ve sent the payment to send us an email to :
[email protected] with subject : ERROR-ID-63100888(0.5BTC)
If you are not familiar with bitcoin you can buy it from here:
SITE : www.localbitcoin.com
After we confirm the payment, we send the private key so you can decrypt your system.”
How does Xorist-Frozen ransomware spread its malicious file(s)?
Xorist-Frozen ransomware spread its malicious files via spam emails where it attaches a document embedded with macro scripts used to download Xorist-Forzen ransomware into the computer. In addition, this ransomware might also use fake updates and software in spreading its malicious files. Since it uses various distribution methods you have to be careful in opening any email attachments especially if it looks suspicious. Moreover, in case you need to update your system, make sure you do so use a legitimate and secure source.
Follow the removal guide below to Eliminate Xorist-Frozen ransomware from your computer.
Step 1: The first thing you need to do is to eliminate the process of Xorist-Frozen ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 2: After that, click the Processes tab and look for any suspicious-looking process that takes up most of your CPU’s resources and is most likely related to Xorist-Frozen ransomware and then end its processes.
Step 3: Now that the malicious process is eliminated, close the Task Manager.
Step 4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for Xorist-Frozen ransomware or anything similar and then uninstall it.
Step 6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for Xorist-Frozen ransomware’s malicious components such as HOW TO DECRYPT FILES.txt as well as other suspicious files and then delete all of them.
Step 8: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
Step 12: Delete the registry keys and sub-keys created by Xorist-Frozen ransomware.
Step12. Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Xorist-Frozen ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that Xorist-Frozen ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS scree will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.