
Brazilian information
Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the ransom.
The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.
Actually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.
In this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch.
The group behind the attack
The group identifies itself as “TeamXRat“and “CorporacaoXRat“.
(Translating from Portuguese to English as “CorporationXRat”)
Their first ransom trojan consisted of using a simple XOR based encryption, described by some victims here (most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals behind it have improved the code to make it more complex, also switching the encryption scheme.
The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For example, corporacaoxrat@mail2tor.com, xRatTeam@mail2tor.com and xratteam@email.tg providing the public key used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts from another Email service – Protonmail, such as corporacaoxrat@protonmail.com, currently deactivated.
When the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in Portuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is a “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you increase your security”. Finally, the cybercriminals also offer to decrypt one file for free:
“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make the donation; otherwise, you’ll lose all your files”
Xpan, how it works
The sample is UPX packed. Once executed it checks the default language of the infected system set in the following registry key: HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE
In addition, it’s able to query local time and obtain the computer name from the registry using several commands like net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located in: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP.
Since the targets are companies and corporations, the group might use proxies blocking access to certain Web resources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or accessing BTC resources online.
After completing its execution, the ransomware displays the following image in the affected system:
“All your files were encrypted using a RSA 2048 bits encryption”
The sample is written in C++ and uses STL, being built as a console application. During the lenght of its execution, it logs all its actions to the console, only to clear it once the encryption process has finished.
The operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:
Decrypted configuration block
The configuration contains the following details:
- Drive letters which will be processed;
- Blacklisted substrings: the files whose path contain any of these strings will not be encrypted;
- Ransomware text message for the victim;
- Extension of the encrypted files (in this case.____xratteamLucked);
- Name of the file with ransom notes;
- Console commands to be executed prior to the process of file encryption;
- Console commands to be executed after the encryption;
- A public RSA-2048 key in the MSBLOB format.
Part of the pseudocode of the main procedure
From Xorist to Xpan
A previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple encryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version (dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption scheme.
Xorist ransomware TEA constant
Xpan ransomware now has evolved to use AES-256 encryption
Xorist | Xpan |
Will automatically start when user is logged in. It uses the following registry key for persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run | No persistence used. |
Tiny Encryption Algorithm | AES-256 |
ASM, MS Linker | C++, MinGW compiler |
Includes a list of files that are to be encrypted. | Will encrypt everything except .exe and .dll files and files with blacklisted substrings in the path. |
The developers have clearly shifted their development procedures in the Xpan malware. It’s typical for cybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that specific variant is widely detected.
List of file extensions that Xorist ransomware will search and encrypt
File Encryption
The trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are encrypted by AES-256 in CBC mode.
There are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses “___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).
These 2 versions employ different techniques to encrypt the files, which we will describe in more detail.



