{
	"id": "da70bb48-0962-44db-84ea-6e37ceea389e",
	"created_at": "2026-04-06T00:07:10.716677Z",
	"updated_at": "2026-04-10T03:24:55.400028Z",
	"deleted_at": null,
	"sha1_hash": "b498bcceabbb4bfd5f2a286a4fc1a0faceee37b0",
	"title": "XPan, I am your father",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 497216,
	"plain_text": "XPan, I am your father\r\nBy Anton Ivanov\r\nPublished: 2017-04-24 · Archived: 2026-04-05 15:43:41 UTC\r\nWhile we have previously written on the now infamous XPan ransomware family, some of it’s variants are still\r\naffecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop\r\nprotocol) connections, criminals are manually installing the ransomware and encrypting any files which can be\r\nfound on the system.\r\nInterestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to\r\nkeep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing\r\nnumber of incident reports. This sample is what could be considered as the “father” of other XPan ransomware\r\nvariants. A considerable amount of indicators within the source code depict the early origins of this sample.\r\n“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many\r\nBrazilian users are eager to see in their desktops.\r\nThe ransomware author left a message for Kaspersky in other versions and has done the same in this one, with\r\ntraces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware\r\nfamily.\r\nhttps://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nPage 1 of 5\n\nNMoreira, XPan, TeamXRat, different names but same author.\r\nEven though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught\r\nour attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked\r\nexecutable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny\r\nbreadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.\r\nA brief religious reference found in this XPan variant.\r\nSecondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer\r\nsold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old\r\ncomputers with limited power.\r\nhttps://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nPage 2 of 5\n\nThis is what cybercriminals think of your encrypted computer: just a toy they can control.\r\n“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the\r\nenvironment in which is XPan is executing is not playing fair and the execution is quite buggy.\r\nLastly, we have the ransomware note demanding the victim to send an email to the account ‘one@proxy.tg’.\r\nConsidering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty\r\nstraightforward naming convention for the criminals’ campaigns.\r\nhttps://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nPage 3 of 5\n\nThe rescue note in Portuguese.\r\nUpon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used\r\nto be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of\r\nexecutable code remains the same, which is quite surprising, because since that time there were several newer\r\nversions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating\r\nback to the 31st of October 2016.\r\nThe only difference between the two is the configuration block which contains the following information:\r\nlist of target file extensions;\r\nransom notes;\r\ncommands to execute before and after encryption;\r\nthe public RSA key of the criminals.\r\nThe decrypted configuration block of Xpan that uses the extension “.one”.\r\nThe file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-\r\nbyte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API\r\nCryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S\r\nhttps://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nPage 4 of 5\n\nwill be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of\r\nthe encrypted file.\r\nAccording to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery\r\nkey, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID\r\nand patiently awaits for further instructions.\r\nThe victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school,\r\ndemonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are\r\nvictims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware\r\nfamily or when it was created.\r\nVictims: we can help\r\nThis time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of\r\n“.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm\r\nimplementation. It allowed us to break encryption as with the previously described Xpan version.\r\nWe successfully helped a driving school and a dentist clinic to recover their files for free and as usual we\r\nencourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in\r\ndecryption.\r\nBrazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small\r\ncompanies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale\r\nattacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their\r\nown language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.\r\nMD5 reference\r\ndd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)\r\n54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension:\r\n“.__AiraCropEncrypted!”)\r\nSource: https://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nhttps://securelist.com/blog/research/78110/xpan-i-am-your-father/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/blog/research/78110/xpan-i-am-your-father/"
	],
	"report_names": [
		"xpan-i-am-your-father"
	],
	"threat_actors": [
		{
			"id": "4e98dd18-e285-4e15-a810-4962bed803e9",
			"created_at": "2023-01-06T13:46:38.492471Z",
			"updated_at": "2026-04-10T02:00:02.997615Z",
			"deleted_at": null,
			"main_name": "TeamXRat",
			"aliases": [
				"CorporacaoXRat",
				"CorporationXRat"
			],
			"source_name": "MISPGALAXY:TeamXRat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434030,
	"ts_updated_at": 1775791495,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b498bcceabbb4bfd5f2a286a4fc1a0faceee37b0.pdf",
		"text": "https://archive.orkl.eu/b498bcceabbb4bfd5f2a286a4fc1a0faceee37b0.txt",
		"img": "https://archive.orkl.eu/b498bcceabbb4bfd5f2a286a4fc1a0faceee37b0.jpg"
	}
}