Skip to main content

Business Threat Alert: Xpan ransomware victims – we can help!

April 24, 2017

The Kaspersky Lab Global and Analysis Team has analyzed a new version of a previously known Xpan ransomware, and has discovered a decryption method to help victims unlock their files.

The Kaspersky Lab Global and Analysis Team has analyzed a new version of a previously known Xpan ransomware, and has discovered a decryption method to help victims unlock their files. Using this method, the company’s experts have already helped several businesses to get their data back without needing to pay the ransom. Currently, the new version of Xpan malware is attacking mostly Brazilian users.

The trend:

Brazilian cybercriminals are focusing their efforts on re-using old ransomware families previously seen on the global stage. They use them for attacking small businesses and users that are too trusting. Kaspersky Lab researchers believe this is the next stage of the ransomware threat landscape: going from global scale attacks to a more localized scenario.

Recent examples:

One such example is Xpan ransomware. In September 2016, Kaspersky Lab researchers analyzed its samples and developed a decryption tool. Harvesting victims via poorly protected RDP (remote desktop protocol) connections, criminals were manually installing the ransomware and encrypting any files which they can find on the victim system.

In 2017, experts have found new variants of the Xpan ransomware in Brazil. The new variants encrypt the victim’s files and change the original extension to “.one”. Technically, the malware is almost identical to previously known Xpan samples.

A decryption tool is available:

We are warning companies that get affected by this type of ransomware not to pay the ransom. It is possible to unlock your files for free. This time luck is on the victims’ side: after thorough investigation and reverse engineering of a sample “.one” version of Xpan, company experts have discovered that the criminals used a vulnerable cryptographic algorithm implementation. This has allowed Kaspersky Lab researchers to break the encryption, as with the previously described Xpan version. Using this method, the company’s experts have already helped a driving school and a dentist clinic in Brazil get their files back.

Victims of “.one” and original variants of Xpan can contact Kaspersky Lab technical support for decryption assistance.

Business Threat Alert: Xpan ransomware victims – we can help!

The Kaspersky Lab Global and Analysis Team has analyzed a new version of a previously known Xpan ransomware, and has discovered a decryption method to help victims unlock their files.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases