{
	"id": "f9a24538-4983-46bb-a5df-268f7f963f96",
	"created_at": "2026-04-06T01:31:50.639643Z",
	"updated_at": "2026-04-10T03:22:10.168754Z",
	"deleted_at": null,
	"sha1_hash": "45ef648448d77d276c0616cf08d3c8a300b1ef47",
	"title": "Ransomware Roundup - New Inlock and Xorist Variants | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67504,
	"plain_text": "Ransomware Roundup - New Inlock and Xorist Variants |\r\nFortiGuard Labs\r\nBy Shunichi Imano and James Slaughter\r\nPublished: 2022-11-10 · Archived: 2026-04-06 00:52:15 UTC\r\nFortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our\r\ndatasets and the OSINT community. The bi-weekly Ransomware Roundup report provides brief insights into the\r\nevolving ransomware landscape along with the Fortinet solutions that protect against those variants.\r\nThis latest edition of the Ransomware Roundup covers the Inlock ransomware and a new variant of the Xorist\r\nransomware that appears to target Cuba.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\r\nSeverity level: High\r\nInlock Ransomware\r\nInlock is a typical ransomware that encrypts files on a compromised machine and demands ransom from a victim\r\nin exchange for recovering the affected files.\r\nFiles encrypted by this latest variant have a “.inlock” file extension. It also leaves a ransom note titled\r\nREAD_IT.txt, which contains a ransom message in Spanish.\r\nThe ransom message translated into English reads:\r\niiYOUR COMPUTER HAS BEEN ENCRYPTED!!! We are very sorry, but you have been the target of a cyber\r\nattack. All your personal data has been encrypted. Please contact me to negotiate the ransom. Once I receive the\r\npayment, I will send you the decryption tool to decrypt all the files. I hope you have nothing of great value ;)\r\nDo not lose the following code or you will never be able to recover your data again:\r\nIt also changes the desktop wallpaper.\r\nAn apparent design failure in the Inlock ransomware is that it does not provide any contact information so victims\r\ncan reach out to the attacker about file decryption. The ransomware also deletes volume shadow copies. With no\r\nattacker contact information available, victims cannot recover their encrypted files.\r\nNew Variant of Xorist Ransomware\r\nhttps://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants\r\nPage 1 of 4\n\nFortiGuard Labs also recently came across a new variant of the Xorist ransomware. The Xorist ransomware\r\nfamily has been in the wild for at least five years, with some reports suggesting its lifespan has been closer to a\r\ndecade.\r\nWhile we do not know precisely how this new Xorist ransomware variant is distributed to victims, there are a few\r\nclues. For example, the ransomware’s executable file is named “Ley del Presidente y Vicepresidente de la\r\nRepública de Cuba.pdf.exe,” which translates to “Law of the President and Vice President of the Republic of\r\nCuba.pdf.exe.” Another clue is that relevant samples were primarily submitted to VirusTotal on October 31st from\r\nCuba.\r\nCoincidentally, a benign PDF file, “Ley del Presidente y Vicepresidente de la República de Cuba.pdf,” was\r\nsubmitted to VirusTotal on the same day. This PDF is labeled as the “Official Gazette of the Republic of Cuba” on\r\nthe National Assembly of People's Power held in late 2020. Its parent file is a self-extracting .rar file that contains\r\nthe PDF file but is also designed to launch a missing “You Are Hacked.exe” application, which is the name of the\r\nfile being dropped by samples of this Xorist ransomware variant. We believe that the missing “You Are\r\nHacked.exe” application was removed by the VirusTotal uploader prior to the file submission.\r\nThis information leads us to believe that the attacker prepared two types of files to distribute the Xorist variant: a\r\nfake PDF file that attempts to fool victims into thinking they’ve opened a legitimate file issued by the Cuban\r\ngovernment and another fake PDF file that is actually a malicious executable.\r\nThe Xorist ransomware variant leaves a ransom note in Spanish.\r\nThe ransom message translated into English reads:\r\nATTENTION!\r\nALL YOUR FILES ARE ENCRYPTED! To restore your files and access them, please send $100 in Bitcoin to this\r\nQR code.\r\nIF YOU DO NOT PAY WITHIN 48 HOURS ALL YOUR FILES WILL BE DELETED IRREVERSIBLY YOU HAVE\r\n5 ATTEMPTS TO ENTER YOUR CORRECT CODE.\r\nThe ransom demand is $100 worth of Bitcoin, which is considered cheap for Enterprises.\r\nThese clues are enough for us to conclude that this Xorist ransomware variant was likely designed to target\r\nconsumers in Cuba.\r\nThe ransomware also replaces the desktop wallpaper with a ransom message. It includes a QR code with the\r\nattacker’s Bitcoin wallet address. As of this writing, this wallet has not recorded a single transaction.\r\nFortinet Protections\r\nFortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering,\r\nAntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:\r\nFortiGuard Labs detects the ransomware variants covered in this blog with the following AV signatures:\r\nhttps://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants\r\nPage 2 of 4\n\nW32/Filecoder.Q!tr.ransom\r\nPossibleThreat\r\nW32/PossibleThreat\r\nIOCs\r\nInlock ransomware variant\r\n96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd\r\nXorist ransomware variant\r\n14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6\r\n7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e\r\n097f45297c3595c45ccf60dff0508e77cbd7b96c9f1caca172635dcccf04f7a3\r\n95c2dd45f074296cbbbfb37c004ebdf3db4240821cb8a8bba5ce6710285e4b4d\r\n38f226d2c7ac8a803d3d1233a234a0c60d2ce88528fcf48092223e88eedf5023 (benign PDF file)\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed\r\nto help end users learn how to identify and protect themselves from various types of phishing attacks and can be\r\neasily added to internal training programs.\r\nOrganizations will need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices;\r\nadvanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware\r\nmid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and\r\nresources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a\r\nsuccessful ransomware attack.\r\nAs part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across\r\nyour security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants\r\nPage 3 of 4\n\nservice offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.\r\nBest Practices include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because payment does not guarantee that files will be recovered. According to a U.S. Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare\r\nfor a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nAI-powered security services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants\r\nhttps://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants"
	],
	"report_names": [
		"Ransomware-Roundup-New-Inlock-and-Xorist-Variants"
	],
	"threat_actors": [],
	"ts_created_at": 1775439110,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45ef648448d77d276c0616cf08d3c8a300b1ef47.pdf",
		"text": "https://archive.orkl.eu/45ef648448d77d276c0616cf08d3c8a300b1ef47.txt",
		"img": "https://archive.orkl.eu/45ef648448d77d276c0616cf08d3c8a300b1ef47.jpg"
	}
}