What is Xorist-XWZ ransomware? And how does it execute its attack?

Xorist-XWZ or XWZ ransomware is a file-encrypting threat designed to lock files in an infected system. This new crypto-malware is actually a new variant of the infamous Xorist ransomware. It was first spotted on March 20, 2018, after some users reported finding their files with the “.xwz” extension which is it is named as “Xorist-XWZ” ransomware.
Once Xorist-XWZ ransomware is activated on a targeted system, it adds more malicious files to help it execute its attack – some of which are created by the ransomware itself while others are downloaded from its Command and Control server. After it successfully drops these files in the essential Windows system folders, it might also create and alter some Registry entries so it can run on every system startup. Following the modifications in the registry, Xorist-XWZ ransomware will scan the entire computer drive to look for files to encrypt. According to researchers, it still targets the same file types like all the other variants of Xorist ransomware such as:
.1cd, .3gp, .7z, .a06, .ac3, .aleta, .aol, .ape, .arena, .aspx, .avi, .b64, .bak, .bd, .bmp, .cdr, .cer, .csv, .dat, .db, .dbf, .divx, .djvu, .dl0, .dl1, .dl2, .dl3, .dl4, .dl5, .dl6, .dl7, .dl8, .dl9, .doc, .docx, .dwg, .flac, .flv, .frf, .gdb, .gif, .gzip, .htm, .html, .ibk, .ifo, .jpeg, .jpg, .kwm, .ldf, .lnk, .m2v, .max, .md, .mdb, .mdf, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .mt0, .mt1, .mt2, .mt3, .mt4, .mt5, .mt6, .mt7, .mt8, .mt9, .net, .odt, .p12, .pdf, .pfx, .png, .ppt, .pptx, .ps1, .psd, .pwm, .rar, .sql, .tar, .tib, .torrent, .txt, .vhd, .vhdx, .vob, .wallet, .wav, .wk0, .wk1, .wk2, .wk3, .wk4, .wk5, .wk6, .wk7, .wk8, .wk9, .wma, .wmv, .xls, .xlsm, .xlsx, .xml, .zip
Xorist-XWZ ransomware uses the AES encryption algorithm in encrypting files. As soon as it finishes the encryption, it will begin to append the .xwz extension on every encrypted file then deliver a ransom note in a text file named “READ ME FOR DECRYPT.txt” that contains the following message:
“All your files is encrypted using an unknown algorithm!
Do not try to decrypt manually!
You can destroy your files!!
To decrypt, please contact us
[email protected]
Your personal ID: ****-2OYU-****-K1JJ
How to buy Bitcoins?
https://blockchain.info/ru/wallet/how-to-get-bitcoins”
How does Xorist-XWZ ransomware proliferate?
Variants of Xorist ransomware continues to proliferate still using malicious spam email campaign, including Xorist-XWZ ransomware. These malware-laden emails contain some corrupted files used to install the ransomware in the system. Such files might be a document with macro-scripts. Thus, you need to beware of these kinds of emails and to stir clear of any suspicious-looking ones.
Follow the removal guide laid out below to eliminate Xorist-XWZ ransomware.
Step 1: The first thing you need to do is to eliminate the process of Xorist-XWZ ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 2: After that, click the Processes tab and look for any suspicious-looking process that takes up most of your CPU’s resources and is most likely related to Xorist-XWZ ransomware and then end its processes.

Step 3: Now that the malicious process is eliminated, close the Task Manager.
Step 4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for Xorist-XWZ ransomware or anything similar and then uninstall it.

Step 6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for Xorist-XWZ ransomware’s malicious components such as READ ME FOR DECRYPT.txt as well as other suspicious files it has created and downloaded into the system and then delete all of them.

• %TEMP%
• %WINDIR%\System32\Tasks
• %APPDATA%\Microsoft\Windows\Templates\
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

Step 8: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use Advanced System Repair Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 10: Navigate to the following path:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
• HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
• HKEY_CURRENT_USER\Control Panel\Desktop

Step 12: Delete the registry keys and sub-keys created by Xorist-XWZ ransomware.
Step12. Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Xorist-XWZ ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

After you’ve covered the steps provided above, you need to continue the removal process using a reliable program like Advanced System Repair Pro. How? Follow the advanced removal steps below.
Perform a full system scan using Advanced System Repair Pro. To do so, follow these steps:

1. Turn on your computer. If it’s already on, you have to reboot
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the SafeMode with Networking.
5. Press and hold both R key and Windows key.

6. If done correctly, the Windows Run Box will show up.
7. Type in the URL address, https://www.fixmypcfree.com/download.php?asrin the Run dialog box and then tap Enter or click OK.
8. After that, it will download Advanced System Repair Pro. Wait for the download to finish and then open the launcher to install the program.
9. Once the installation process is completed, run Advanced System Repair Pro to perform a full system scan.

10. After the scan is completed click the “Fix, Clean & Optimize Now”button.