XPan, also known as NMoreira, targets servers running Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise. It originates in Brazil and has been used by a group of malicious actors identified as “TeamXRat” and “CorporacaoXRat” to target Brazilian companies and hospitals. It uses a combination of RSA and AES-256 to encrypt files and appends ._xratteamLucked, .maktub or ._AiraCropEncrypted! to encrypted file names. XPan disables antivirus software, modifies the registry, and deletes itself after the encryption process is completed. The ransom payment demand is 1 Bitcoin.
UPDATE 03/28/2017: An email campaign distributes a new variant that appends .HakunaMatata to the names of encrypted files and provides payment instructions in a ransom note named Recovers files yako.html.
UPDATE 04/25/2017: A new campaign was discovered targeting Brazilian SMBs through RDP compromise. This version appends .one to encrypted file names, drops a ransom note named Recupere seus arquivos aqui.txt, and demands a ransom payment of 0.3 Bitcoin.