How To Remove TeamXRat Ransomware From Your Computer

A new Brazillian ransomware has been identified, named TeamXRat by the researchers it targets mainly businesses and hospitals in Brazil.

TeamXRat Ransomware

File Extensions
File name extension depends on the version.


Solution #1
TeamXRat ransomware can be removed easily with the help of an anti-malware tool, a program that will clean your computer from the virus, remove any additional cyber-security threats, and protect you in the future.

Solution #2
TeamXRat Ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

The majority of TeamXRat attacks are done by manually inserting the ransomware binaries on compromised servers.

TeamXRat Ransomware Description

The Brazillians do not idle, security experts from Kaspersky Labs reported that a new ransomware variant has been identified. The threat is called TeamXRat and it targets mainly companies and hospitals based in Brazil. The other name for the threat is Trojan-Ransom.Win32.Xpan.

The hacker collective that operates the ransomware is identified as CorporacaoXRat also known as TeamXRat. This is not their first creation, previously the Trojan used a simple XOR encryption. Their latest threat uses much improved code. The ransom text is written in Portugese however it does contain some strange characteristics.

The message does not inform the victims an exact ransom see that the victims have to pay or any payment methods. Usually the hackers use the Bitcoins crypto currency as it is anonymous and cannot be traced.

The operators give instructions to the owners of the machines to send them an email to addresses hosted on the anonymous Mail2ATor or providers.

When the communication has started the group starts to negotiate the payment based on the profile of the hacked victim. The language that the group uses is Portugese and the identified samples so far show that the hackers demand the sum of one bitcoin to decrypt the compromised files. The payment is referred to as a “donation”. The collective also offers to decrypt one file for free to prove that they are capable of restoring the data.

TeamXRat Ransomware Distribution

The majority of TeamXRat attacks are done by manually inserting the ransomware binaries on compromised servers. This is done by performing RDP (Remote Desktop Protocol) brute force attacks or other means of intrusion. There are several vulnerabilities that can be exploited in protocol. They allow attackers to craft a specific series of packets to the target system. If the system is not properly patched to the latest version this could allow a remote code execution that can be exploited.

TeamXRat Ransomware Virus – More Details

The identified sample is written in C++ and uses the STL format, the binary is built as a console application. During execution it logs all actions to the console output. The window clears only when the encryption process is complete.
Before the encryption process begins, the ransomware executes several commands. They are used as a countermeasure against popular database services that might interfere with the encryption.

echo Iniciando pre comandos

echo Parando Firbird
sc config FirebirdServerDefaultInstance start=disabled
taskkill /IM fb_inet_server.exe /F
net stop FirebirdServerDefaultInstance

echo parando SQL SERVE

taskkill /IM sqlservr.exe /F
sc config MSSQLSERVER start=disabled
sc config MSSQL$SQLEXPRESS start=disabled

echo parando poostgree
taskkill /IM pg_ctl.exe /F
sc config postgresql-9.0 start=disabled
net stop postgresql-9.0

The behavior of the threat is executed according to a configuration block stored in the code of the Trojan. This includes the following variables:

  • Affected partitions and devices
  • Blacklisted substrings – Contains the files paths which are not going to be encrypted
  • The Ransomware note
  • File extensions of the processed files – this variant uses .____xratteamLucked
  • Names of the affected files with the ransom notes
  • Console commands to be executed prior to encryption
  • Console commands commands to be executed after the encryption
  • A Public RSA-2048 key contained in the MSBLOB format

The TeamXRat ransomware uses an AES-256 encryption scheme in CBC mode. There are two known versions of the threat, they can be distinguished by observing the file extensions.

  1. Version I – This version uses 3 “_” symbols in the file extensions and generates a single 255-symbol password for all affected files. The password is encrypted with the RSA-2048 cipher and placed in the ransom note. The Trojan produces a 256-bit key based on this password using the CryptDeriveKey API. The malware adds the string ‘NMoreira” to the beginning of the original file and encrypts it with 245-byte blocks with the AES-256 algorithm in CBC mode. After that each block is additionally XOR’ed with a random byte, stored before the the padding of the corresponding block.
  2. Version II – This version uses 4 “_” symbols in the file extensions and generates a new 255-symbol password for each file. The passwords are once again RSA-2048 and places the data into the beginning of each affected file. The Trojan then creates a 256-bit key from the password using the same API. This key is used to encrypt the original file content.

All file searchers and encryption processes are carried out by multiple threads. When the encryption is complete TeamXRat changes the desktop background by displaying the ransom note in Portugese. After a successful execution the ransomware deletes itself from the system as an extra precaution with the following commands:

@echo off
goto Delete
@timeout 5
@del “path\sample_name.exe”
if exist “path\sample_name.exe”
goto WaitAndDelete
@del %0

The Trojan also modifies the Windows registry to add a custom handler when a user double clicks on any encrypted files. As a result when the victims clicks the ransom note is displayed on a new window using the msg.exe standard Windows utility.

TeamXRat Ransomware Removal

For a faster solution, you can run a scan with an advanced malware removal tool and delete TeamXRat completely with a few mouse clicks.

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R


    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option


    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely TeamXRat Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of TeamXRat requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete TeamXRat ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar


      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps


STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *