The Kaspersky Lab Global and Analysis Team has analyzed a new version of a previously known Xpan ransomware, and has discovered a decryption method to help victims unlock their files. Using this method, the company’s experts have already helped several businesses to get their data back without needing to pay the ransom. Currently, the new version of Xpan malware is attacking mostly Brazilian users.
Brazilian cybercriminals are focusing their efforts on re-using old ransomware families previously seen on the global stage. They use them for attacking small businesses and users that are too trusting. Kaspersky Lab researchers believe this is the next stage of the ransomware threat landscape: going from global scale attacks to a more localized scenario.
One such example is Xpan ransomware. In September 2016, Kaspersky Lab researchers analyzed its samples and developed a decryption tool. Harvesting victims via poorly protected RDP (remote desktop protocol) connections, criminals were manually installing the ransomware and encrypting any files which they can find on the victim system.
In 2017, experts have found new variants of the Xpan ransomware in Brazil. The new variants encrypt the victim’s files and change the original extension to “.one”. Technically, the malware is almost identical to previously known Xpan samples.
A decryption tool is available:
We are warning companies that get affected by this type of ransomware not to pay the ransom. It is possible to unlock your files for free. This time luck is on the victims’ side: after thorough investigation and reverse engineering of a sample “.one” version of Xpan, company experts have discovered that the criminals used a vulnerable cryptographic algorithm implementation. This has allowed Kaspersky Lab researchers to break the encryption, as with the previously described Xpan version. Using this method, the company’s experts have already helped a driving school and a dentist clinic in Brazil get their files back.