FANDOM


XCry is an encryption ransomware Trojan that runs on Microsoft Windows. XCry caught the attention of PC security researchers because it seems to be the first encryption ransomware Trojan written using Nim, a coding language designed to build command-line applications, Web servers and kernels. Nim-based programs can typically run across platforms without being modified heavily, making XCry more threatening particularly because it may be adapted for distribution on Mac OS or Linux easily.

Transmission

XCry is distributed is through fake updates to Adobe Flash and other third-party programs and spam email attachments.

Payloads

To take the victim's files hostage, the XCry Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, targets the user-generated file, which may include databases, media files, and numerous other file types, such as the files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, 
.php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, 
.indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, 
.dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, 
.xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, 
.mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, 
.sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, 
.qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, 
.ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, 
.pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, 
.cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, 
.xpm, .zip, .rar.

XCry's intended targets are Web servers and corporate networks rather than individual computer users. The XCry Ransomware marks the files encrypted by its attack by adding the file extension '.xcry7684' to each affected file. The XCry Ransomware delivers its ransom note in the form of an HTML file named 'HOW_TO_DECRYPT_FILES.html' that is dropped on the infected computer. The full text of the XCry Ransomware's ransom note reads:

Your files have been encrypted.
To decrypt your files, follow instructions
Open your explore, in the pathbar, enter %appdata%
Find the file encryption_key and send it to email: funnybtc@airmail.cc
Await payment instructions
Community content is available under CC-BY-SA unless otherwise noted.