XPan

XPan, also known as NMoreira, targets servers running Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise. It originates in Brazil and has been used by a group of malicious actors identified as “TeamXRat” and “CorporacaoXRat” to target Brazilian companies and hospitals. It uses a combination of RSA and AES-256 to encrypt files and appends ._xratteamLucked, .maktub or ._AiraCropEncrypted! to encrypted file names. XPan disables antivirus software, modifies the registry, and deletes itself after the encryption process is completed. The ransom payment demand is 1 Bitcoin.

  • Kaspersky provides more information about XPan here and also offers help to victims through their support page.
     
  • Security Week provides additional information about XPan here.
     
  • Emsisoft provides a free decryption tool for XPan here.

One example of the XPan variant. Image Source: Securelist