Ransomware - XRansom

XRansom
Aliases
XPhantom
Decryptor Available
No
Description

A GitHub user named hackerxphantom, or XPhantom, created XRansom. The user allegedly created the tool for educational purposes only, and based on the use of variants in the wild, malicious actors have been misusing it. For example, Free Followers is a variant that leveraged XRansom. XRansom is what is known as a builder - a tool that enables users to build ransomware payloads. XPhantom wrote the payload creation tool in Python, and its behavior is elementary. As advertised, the payload doesn't require root access and allows users to customize the payload by enabling customization of the app icon, app name, ransom note title and description, and the password to unlock the device.

Luckily, this isn't traditional ransomware that encrypts files. It is a locker that locks the user out of the device by using the SYSTEM_ALERT_WINDOW permission. An alert window with this permission type overlays the entire screen, and users can't dismiss the modal unless they perform a particular action. Well, the action here is a password that, even if the user enters it correctly, will close the alert window and have it immediately reopen again. It is an infinite loop, only terminated by restarting the device or killing the app process. It's not sophisticated ransomware, but ransomware nonetheless.

Although XRansom isn't ransomware - it's a ransomware creation tool - XPhantom created a sample payload called "xphantom.apk" included herein. They created it for demonstration purposes, and this is where the second ransom note and sample hash come from.

Ransomware Type
Builder
FOSS
Locker
Scareware
Country of Origin
India
First Seen
Threat Actors
Type
Actor
Individual
X PHANTOM
Extortion Types
Direct Extortion
Pseudo-Extortion
Extortion Amounts
Amount
1000INR($13)
Communication
Moyen
Identifiant
Samples (SHA-256)
b54cf4f49f58516b2e11ebbba9ff82385717620a8d1b3f5c318f87dc0c17a11f
References & Publications