Jump to content

Results from Decrypter for Xorist are not valid?

Recommended Posts


our server was attacked by ransomware. 

Website https://id-ransomware.malwarehunterteam.com/identify.php? says, it should be Xorist. I tried your Emsisoft Decrypter for Xorist, but i think, the results is not correct.

It generated "decryption.key", but after decrypting of selected files, these files couldn't be open. In attachments is sample. Could you give me any advice?




  • not attacked file "DocExcel - not attacked.png"
  • attacked file
  • result file from decrypter "DocExcel.png" - it could be open
  • notes from ransomware  (HOW TO DECRYPT FILES)
  • decryption_key

system Logs:

  • Emsisoft Emergency Kit log 
  • FRST.txt
  • Addition.txt

Thank you, Karel





Link to comment
Share on other sites

You got attacked by two different variants. The issue with that is, that you will have to run the decrypter twice. Once with the proper settings to remove the "[email protected]" layer and then to remove the "[email protected]" layer. The problem is finding the two different keys. You will have to find 2 file pairs where only one of the two extensions was appended. Then generate the decryption key based on those two individual file pairs and use them one after another.

Link to comment
Share on other sites

I think for the variant "[email protected]" I found a pair of files for decryptor, but for the second variant "[email protected]" I did not find a suitable pair. There are about 56 files that have been encrypted only by this variant, but they are mostly log files to which I do not have an unencrypted files. There are also several dll libraries, but libraries with the same name that I have on my computer have a different size.
Is there any other way to deal with it?

At attachment, there is list of files which was decrypt only by variant [email protected]

list of files_qq.csv

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...