|Encryption Type||XOR or TEA encryption.|
|Short Description||Encrypts user files adding a custom file extension, for example New Text Document.txt.73i80A and extorting for money in return for file decryption.|
|Symptoms||The user may witness his files being encoded along with a ransom message.|
|Distribution Method||Via malicious URLs or file attachments.|
This is offered as Raas(ransomware as a service).Once the ransomware gets infected and activated, it drops some of its payload modules that scans and encrypt the files of the victim in one of the following folder
Some of the targets of the Xorist are
Once these are done it modifies the registry entries of victim to make the executables run every time whenever the windows starts. This is done by adding the value and data are added in the following subkey:
Once these process are completed the ransomware starts to scan for the following files and starts to encrypt them: the ransomware targets some specific files and scans them some of the computer files that are scanned are as shown:
*.zip, *.rar, *.7z, *.tar, *.gzip, *.jpg, *.jpeg, *.psd, *.cdr, *.dwg, *.max, *.bmp, *.gif, *.png, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.txt, *.pdf, *.djvu, *.htm, *.html, *.mdb, *.cer, *.p12, *.pfx, *.kwm, *.pwm, *.1cd, *.md, *.mdf, *.dbf, *.odt, *.vob, *.ifo, *.lnk, *.torrent, *.mov, *.m2v, *.3gp, *.mpeg, *.mpg, *.flv, *.avi, *.mp4, *.wmv, *.divx, *.mkv, *.mp3, *.wav, *.flac, *.ape, *.wma, *.ac3
Once these are done a help text notepad is left on the victim computer. In which the guidelines are given for decrypting the files.
Xorist ransom payments are handled via SMS, but later on they were changed.