Xorist is a family of ransomware that targets Windows OS and is distributed as an automatic ransomware builder that allows cyber threat actors to create and customize their own version of the malware. Files encrypted by Xorist typically display the following extensions, although creators can customize this feature as well: EnCiPhErEd, .73i87A, .p5tkjw, and .PoAr2w. Once a system is infected, Xorist will display a ransom note that instructs the victim to send an ID via SMS to a specific phone number. Once the victim follows the attacker’s instructions, the attacker will then send a code back to the victim via SMS to begin the decryption process.

UPDATE 11/7/2016: Two new Xorist variants were spotted in the wild, appending .error and .errorfiles to encrypted files. Both are decryptable.

UPDATE 12/14/2016: A new version appends .antihacker2017 to encrypted files.

UPDATE 5/12/2017: A new version appends .decripted2017@gmail.com to encrypted files.

UPDATE 5/16/2017: A new version appends .SaMsUnG to encrypted files.

  • Bleeping Computer provides more information about Xorist here.
  • Emsisoft offers a decryption tool for files encrypted by Xorist here.

 One example of the Xorist variant. Image Source: Bleeping Computer