Xorist

Xorist is a significant threat actor in the cybersecurity landscape, known for its malicious activities involving ransomware attacks. The Xorist ransomware first emerged in 2010 and primarily targets Windows systems. It operates under the Ransomware-as-a-Service (RaaS) model with a builder called "Encoder Builder v.24" available on underground forums, facilitating the creation of new variants. The ransomware has been notably associated with file extensions like .WoXoTo or .RSA-4096 and drops a ransom note named "HOW TO DECRYPT FILES.txt". Decrypting tools have been developed to counteract Xorist's impact, such as those provided by Trend Micro and Emsisoft, which have proven effective against major ransomwares including Apocalypse, Xorist, Stampado, and BadBlock. In early 2024, cybersecurity firm Talos discovered a new ransomware family called MortalKombat, generated by the leaked Xorist ransomware builder. Despite being a new entrant, MortalKombat shares striking similarities with the Xorist ransomware family, evidenced by commonalities in code, class name, and registry key strings. This led experts to assess with high confidence that MortalKombat belongs to the Xorist ransomware family. MortalKombat spreads through phishing emails and targets exposed Remote Desktop Protocol (RDP) instances, further extending the reach and potential impact of the Xorist threat actor. The ongoing evolution and adaptation of the Xorist ransomware pose a considerable threat to cybersecurity. The emergence of new variants and the development of derivative ransomware families like MortalKombat underscore the persistent risk associated with this threat actor. As such, it remains crucial for organizations to maintain robust security measures, including regular system updates, backups, and user education on phishing scams. Furthermore, the continued development and application of decryption tools will be vital in mitigating the effects of Xorist-related ransomware attacks.