Xorist is a family of ransomware that targets Windows OS and is distributed as an automatic ransomware builder that allows cyber threat actors to create and customize their own version of the malware. Files encrypted by Xorist typically display the following extensions, although creators can customize this feature as well: EnCiPhErEd, .73i87A, .p5tkjw, and .PoAr2w. Once a system is infected, Xorist will display a ransom note that instructs the victim to send an ID via SMS to a specific phone number. Once the victim follows the attacker’s instructions, the attacker will then send a code back to the victim via SMS to begin the decryption process.

Extensions appended to encrypted file names:
EnCiPhErEd, .73i87A, .p5tkjw, .PoAr2w, error, .errorfiles, .antihacker2017, .decripted2017@gmail.com, .SaMsUnG, .xdata, .fast_decrypt_and_protect@tutanota.com, .HELLO, .Cerber_RansomWare@qq.com

Ransom note names associated with this variant:

  • Bleeping Computer provides more information about Xorist here.
  • Emsisoft offers a decryption tool for files encrypted by Xorist here.
  • For victims impacted by the .fast_decrypt_and_protect@tutanota.com version, download the decryption tool here and the decryption key here.

 One example of the Xorist variant. Image Source: Bleeping Computer