Xorist is a family of ransomware that targets Windows OS and is distributed as an automatic ransomware builder that allows cyber threat actors to create and customize their own version of the malware. Files encrypted by Xorist typically display the following extensions, although creators can customize this feature as well: EnCiPhErEd, .73i87A, .p5tkjw, and .PoAr2w. Once a system is infected, Xorist will display a ransom note that instructs the victim to send an ID via SMS to a specific phone number. Once the victim follows the attacker’s instructions, the attacker will then send a code back to the victim via SMS to begin the decryption process.
Extensions appended to encrypted file names:
EnCiPhErEd, .73i87A, .p5tkjw, .PoAr2w, error, .errorfiles, .antihacker2017, .email@example.com, .SaMsUnG, .xdata, .firstname.lastname@example.org, .HELLO, .Cerber_RansomWare@qq.com
Ransom note names associated with this variant:
HOW TO DECRYPT FILES.txt