Home Malware Programs Ransomware XiaoBa Ransomware

XiaoBa Ransomware

Posted: October 30, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 166
First Seen: October 30, 2017
Last Seen: May 2, 2022
OS(es) Affected: Windows

The XiaoBa Ransomware is a Chinese Trojan that locks the files of your PC with a combination of the AES and RSA encryptions. At the same time, the Trojan also may display pop-ups asking for ransoms, change cosmetic features like the Windows wallpaper, or disable some security and data storage features. Many anti-malware programs should eliminate the XiaoBa Ransomware safely from your computer, and malware experts particularly recommend doing so preemptively since this threat may cause irreparable data loss.

A Tour of Asia's Next File-Ransoming Problem

Trojans with features for harming data, withholding it from its owner, or turning it into profit by various methods, are a universal security issue for virtually any PC user on any prominent operating system. The XiaoBa Ransomware is a late sample for October showing that China is just as vulnerable as regions like Brazil or North America, although its language settings suggest that the author may not be Chinese, himself necessarily. Flaws in its file-locking feature appear to be limited, and malware experts warn that any content that the XiaoBa Ransomware blocks may be left in an unusable state indefinitely.

The XiaoBa Ransomware's payload includes some currency conversion errors and, unlike most Chinese-based threats, uses Traditional Chinese settings, instead of Simplified Chinese. These discrepancies are standouts from the rest of the XiaoBa Ransomware's features, which include more standard attacks, such as:

  • The XiaoBa Ransomware blocks various formats of data on the PC, such as text documents or images, by encoding them with an AES-128 algorithm. It also prevents the victim from retrieving the code with a second, RSA-2048 one. While it locks your files, the XiaoBa Ransomware adds an extensible name tag that includes a number (of up to 34) and the '.XiaoBa' string. 'XiaoBa' translates roughly to 'minibus.'
  • The XiaoBa Ransomware also suppresses boot-up error messages while installing itself, which can prevent Windows from alerting the user of the infection.
  • The Trojan also will erase any local, Shadow Copy-based backups for the media that it blocks, thereby removing a default recovery solution for victims in need of restoring the locked content.
  • Malware experts also are seeing different formats of ransom notes on display through the XiaoBa Ransomware, including advanced Web pages, separate pop-ups, and a BMP image that the XiaoBa Ransomware adds to the desktop's background.

The XiaoBa Ransomware asks for Bitcoins to give the victims a decryption key to unlock their media. Since the Trojan's messages provide erroneous currency data, the exact quantity of the ransom remains questionable, although malware experts recommend that you not pay, regardless.

Stepping Off the Bus to Bitcoin Poverty

Like the LockLock Ransomware and other, Chinese-based threats, the XiaoBa Ransomware seems to be conducting a campaign not targeted at victims carefully, such as corporate entities, who would be willing to make high payouts to recover entire servers' worth of data. Casual PC users are more likely of being at risk from this threat, which may damage documents, audio, spreadsheets, pictures, and other, common-use formats of files broadly. Keeping additional backups on drives that the XiaoBa Ransomware is incapable of damaging is the primary, recommended procedure for reducing this Trojan's danger levels to any local media.

The XiaoBa Ransomware may compromise a PC by pretending to be a safe attachment on an e-mail message, circulate as a fake, pirated download for a product (such as a triple-A video game) or take advantage of the help of other threats such as another threat actor's exploit kits. Having your anti-malware products scanning new downloads to remove the XiaoBa Ransomware immediately, deactivating unsafe content like macros or JavaScript, and avoiding risky sites can mitigate most forms of exposure to file-locking Trojans.

The XiaoBa Ransomware's foibles don't include any definite issues with its data-locking feature, which uses a traditional, secure cryptography strategy. Whether or not the XiaoBa Ransomware ever smooths out its ransom rates or communication issues, it can be a real and long-term problem for most files types that users would be likely of saving on their computers.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\XiaoBa

Related Posts

Loading...