{ "id": "2612355c-4209-4944-9ea5-bd3da3bd7f0f", "created_at": "2026-04-06T00:13:36.571719Z", "updated_at": "2026-04-10T03:24:55.40154Z", "deleted_at": null, "sha1_hash": "ae6106aecbc8f5e19a01dc23de550976a418a4e5", "title": "TeamXRat: Brazilian cybercrime meets ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 575951, "plain_text": "TeamXRat: Brazilian cybercrime meets ransomware\r\nBy GReAT\r\nPublished: 2016-09-29 · Archived: 2026-04-02 10:51:16 UTC\r\nBrazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to\r\nfocus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made\r\nransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly\r\naffecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the\r\nransom.\r\nThe Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in\r\nBrazil that had fallen victim to this Ransomware family.\r\nActually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its\r\nflawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot\r\nof copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used\r\ntargeted attacks via RDP that abused weak passwords and wrong implementations.\r\nIn this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware\r\nfrom scratch.\r\nThe group behind the attack\r\nThe group identifies itself as “TeamXRat“and “CorporacaoXRat“.\r\n(Translating from Portuguese to English as “CorporationXRat”)\r\nTheir first ransom trojan consisted of using a simple XOR based encryption, described by some victims here\r\n(most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals\r\nbehind it have improved the code to make it more complex, also switching the encryption scheme.\r\nThe ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much\r\nthe victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead,\r\nthey instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For\r\nexample, corporacaoxrat@mail2tor.com, xRatTeam@mail2tor.com and xratteam@email.tg providing the public\r\nkey used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts\r\nfrom another Email service – Protonmail, such as corporacaoxrat@protonmail.com, currently deactivated.\r\nWhen the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in\r\nPortuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is\r\na “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you\r\nincrease your security”. Finally, the cybercriminals also offer to decrypt one file for free:\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 1 of 12\n\n“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make\r\nthe donation; otherwise, you’ll lose all your files”\r\nXpan, how it works\r\nThe sample is UPX packed. Once executed it checks the default language of the infected system set in the\r\nfollowing registry key: HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE\r\nIn addition, it’s able to query local time and obtain the computer name from the registry using several commands\r\nlike net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located\r\nin: HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP.\r\nSince the targets are companies and corporations, the group might use proxies blocking access to certain Web\r\nresources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or\r\naccessing BTC resources online.\r\nAfter completing its execution, the ransomware displays the following image in the affected system:\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 2 of 12\n\n“All your files were encrypted using a RSA 2048 bits encryption”\r\nThe sample is written in C++ and uses STL, being built as a console application. During the lenght of its\r\nexecution, it logs all its actions to the console, only to clear it once the encryption process has finished.\r\nThe operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:\r\nDecrypted configuration block\r\nThe configuration contains the following details:\r\nDrive letters which will be processed;\r\nDenylisted substrings: the files whose path contain any of these strings will not be encrypted;\r\nRansomware text message for the victim;\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 3 of 12\n\nExtension of the encrypted files (in this case, .____xratteamLucked);\r\nName of the file with ransom notes;\r\nConsole commands to be executed prior to the process of file encryption;\r\nConsole commands to be executed after the encryption;\r\nA public RSA-2048 key in the MSBLOB format.\r\nPart of the pseudocode of the main procedure\r\nFrom Xorist to Xpan\r\nA previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple\r\nencryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version\r\n(dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption\r\nscheme.\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 4 of 12\n\nXorist ransomware TEA constant\r\nXpan ransomware now has evolved to use AES-256 encryption\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 5 of 12\n\nXorist Xpan\r\nWill automatically start when user is logged in. It uses the following registry\r\nkey for persistence: SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nNo persistence used.\r\nTiny Encryption Algorithm AES-256\r\nASM, MS Linker C++, MinGW compiler\r\nIncludes a list of files that are to be encrypted.\r\nWill encrypt everything\r\nexcept .exe and .dll files and\r\nfiles with denylisted\r\nsubstrings in the path.\r\nThe developers have clearly shifted their development procedures in the Xpan malware. It’s typical for\r\ncybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that\r\nspecific variant is widely detected.\r\nList of file extensions that Xorist ransomware will search and encrypt\r\nFile Encryption\r\nThe trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are\r\nencrypted by AES-256 in CBC mode.\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 6 of 12\n\nThere are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses\r\n“___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).\r\nThese 2 versions employ different techniques to encrypt the files, which we will describe in more detail.\r\nVersion 1 (3 ‘_’ symbols in the extension)\r\nThe trojan generates a single 255-symbol password for all files. This password is encrypted by RSA-2048 and put\r\ninto the ransom note (concatenated with the public key). Then the trojan produces a 256-bit key from this\r\npassword using the API CryptDeriveKey; this key will be used to encrypt all files.\r\nWhen processing each file, the malware adds the string ‘NMoreira’ to the beginning of the original file and\r\nencrypts the file content by 245-byte blocks using the AES-256 algorithm in CBC mode. Each block is\r\nadditionally XOR’ed with a random byte which is stored before the padding of the corresponding block.\r\nVersion 2 (4 ‘_’ symbols in the extension)\r\nFor each file, the trojan generates a new 255-symbol password, encrypts this password by RSA-2048 and puts this\r\ndata into the beginning of each encrypted file. Then, the trojan produces a 256-bit key from this password using\r\nthe API CryptDeriveKey, and uses this key to encrypt the original file content (AES-256 CBC).\r\nFile search and encryption is carried out by multiple threads, each thread processes its disk.\r\nRansomware in action: console output inform the files encrypted\r\nAfter encryption is completed, the malware will change the wallpaper in the desktop and display this file, with the\r\nransom note:\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 7 of 12\n\nThe ransom note, in Portuguese\r\nBefore encrypting the data in the affected system, the ransomware executes the following commands, aiming to\r\nstop popular database services, to be sure that database files will be encrypted as well, so they cause a greater\r\ndamage to the victim:\r\necho Iniciando pre comandos\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 8 of 12\n\necho Parando Firbird\r\nsc config FirebirdServerDefaultInstance start=disabled\r\ntaskkill /IM fb_inet_server.exe /F\r\nnet stop FirebirdServerDefaultInstance\r\necho parando SQL SERVE\r\ntaskkill /IM sqlservr.exe /F\r\nsc config MSSQLSERVER start=disabled\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nnet stop MSSQLSERVER\r\nnet stop MSSQL$SQLEXPRESS\r\necho parando poostgree\r\ntaskkill /IM pg_ctl.exe /F\r\nsc config postgresql-9.0 start=disabled\r\nnet stop postgresql-9.0\r\nAfter the execution, the ransomware deletes itself from the system, to remove the original infector:\r\n@echo off\r\ngoto Delete\r\n:WaitAndDelete\r\n@timeout 5\r\n:Delete\r\n@del “path\\sample_name.exe”\r\nif exist “path\\sample_name.exe”\r\ngoto WaitAndDelete\r\n@del %0\r\nAfter the encryption has finished, the trojan modifies the registry to add a custom handler for the action of double-clicking on any of the encrypted files. As a result, when the victim clicks on a file with the extension\r\n“.____xratteamLucked“, the command stored in the registry is executed, and this command shows the ransom\r\nnotes in a new window using msg.exe (a standard utility which is a part of Windows distribution).\r\nWindows Registry modified by the ransom\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 9 of 12\n\nHow they attack\r\nMost of the attacks performed by TeamXRat are performed manually, installing the ransomware in the hacked\r\nserver. To achieve that, they perform RDP (Remote Desktop Protocol) brute force attacks. Connecting remote\r\ndesktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the\r\nproper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP\r\nattacks are still relevant and something that cybercriminals enjoy. Once the server is compromised, the attacker\r\nmanually disables the Antivirus product installed on the server and proceeds with the infection itself.\r\nWe are also aware that vulnerabilities such as MS15-067 and MS15-030 in the RDP protocol, which allow remote\r\ncode execution if an attacker sends a specially crafted sequence of packets to a targeted system, can be used by\r\ncybercriminals if a server is not patched and exposed to attacks.\r\nAs we saw in the recent xDedic research, vulnerable servers with exposed RDP connections are very valuable\r\nassets in the hands of cybercriminals. Not surprisingly, Brazil was the country with the most compromised servers\r\nbeing offered in the underground market to any cybercriminal.\r\nxDedic: compromised Brazilian RDP servers were available in the underground market\r\nDecryption: we can help!\r\nIf the victim pays the ransom, the cybercriminals will send this tool to decrypt the files:\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 10 of 12\n\nDecryption tool sent by the bad guy after payment\r\nBut the good news is that the Kaspersky Anti-Ransom team was able to break the encryption used by the Xpan\r\nTrojan. This effort made possible the decryption of files belonging to a Hospital in Brazil, which was hit by this\r\nRansomware family.\r\nIf you’re a victim of this new Ransomware family and need help to decrypt your files, please DON’T PAY the\r\nransom. Instead, contact us via support.\r\nConclusion\r\nAs we can see, Brazilian bad guys are now diversifying their “business” with new ransomware families developed\r\nfrom scratch, abandoning older versions that used XOR encryption and adopting new, more robust encryption\r\nalgorithms. This is a clear signal that they have started to explore new schemes with new targets and newer types\r\nof attacks.\r\nAs we forecasted in the beginning of this year, we expect ransomware attacks to gain ground on banking trojans\r\nand to transition into other platforms. Ransomware has two advantages over traditional banking threats: direct\r\nmonetization using an anonymous payment system (usually Bitcoin), and relatively low cost per victim. Certainly,\r\nthis is very attractive to Brazilian crooks, well-known for their banking trojans development. Brazilian law\r\nenforcement is very good at catching criminals (although they are not always convicted and imprisoned) by\r\n“following the money”, something that we know it’s not entirely possible for Bitcoin payments.\r\nWe detect this new threat as\r\nTrojan-Ransom.Win32.Xpan.a and PDM:Trojan.Win32.Generic.\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 11 of 12\n\nWe’ll keep an eye out or new variants, which surely will appear from same or other threat actors.\r\nMD5 reference: 34260178f9e3b2e769accdee56dac793\r\nSource: https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nhttps://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "report_names": [ "teamxrat-brazilian-cybercrime-meets-ransomware" ], "threat_actors": [ { "id": "4e98dd18-e285-4e15-a810-4962bed803e9", "created_at": "2023-01-06T13:46:38.492471Z", "updated_at": "2026-04-10T02:00:02.997615Z", "deleted_at": null, "main_name": "TeamXRat", "aliases": [ "CorporacaoXRat", "CorporationXRat" ], "source_name": "MISPGALAXY:TeamXRat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434416, "ts_updated_at": 1775791495, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae6106aecbc8f5e19a01dc23de550976a418a4e5.pdf", "text": "https://archive.orkl.eu/ae6106aecbc8f5e19a01dc23de550976a418a4e5.txt", "img": "https://archive.orkl.eu/ae6106aecbc8f5e19a01dc23de550976a418a4e5.jpg" } }