XPan, also known as NMoreira, targets servers running Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise. It originates in Brazil and has been used by a group of malicious actors identified as “TeamXRat” and “CorporacaoXRat” to target Brazilian companies and hospitals. It uses a combination of RSA and AES-256 to encrypt files and appends ._xratteamLucked, .maktub or ._AiraCropEncrypted! to encrypted file names. XPan disables antivirus software, modifies the registry, and deletes itself after the encryption process is completed. The ransom payment demand is 1 Bitcoin.

UPDATE 03/28/2017: An email campaign distributes a new variant that appends .HakunaMatata to the names of encrypted files and provides payment instructions in a ransom note named Recovers files yako.html.

UPDATE 04/25/2017: A new campaign was discovered targeting Brazilian SMBs through RDP compromise. This version appends .one to encrypted file names, drops a ransom note named Recupere seus arquivos aqui.txt, and demands a ransom payment of 0.3 Bitcoin.

  • Kaspersky provides more information about XPan here and also offers help to victims through their support page.
  • Security Week provides additional information about XPan here.
  • Emsisoft provides a free decryption tool for XPan here.

One example of the XPan variant. Image Source: Securelist