The XPan Ransomware is being used to target small and medium businesses located in Brazil (although there is nothing limiting these attacks only to Brazil since these threat attacks can target computers anywhere). Taking advantage of remote desktop connections protected poorly is carrying out the XPan Ransomware attacks. Exploiting poor password protection and security measures, con artists can install the XPan Ransomware on the victims’ computers, as well as carry out other threatening operations.
The ransomware, suspected to be distributed by a group of small-time cybercriminals has already affected many computers belonging to small and medium businesses in the country. The similarities between XPan and .one ransomware was found during an in-depth analysis of the malicious program. The similarities include the target file extensions, ransom note, commands executed before and after the encryption process and even the public RSA keys of the criminals.
For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. According to one of the victims, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.