Obliterate XiaoBa Ransomware (Crypto-Malware/Ransomware)

What is XiaoBa ransomware? And how does it execute its malicious attack?

XiaoBa ransomware a file-encoding Trojan infect set to encrypt the important files in a targeted system. As it names suggests, this crypto-malware is created by Chinese cyber criminals and was recently discovered in the last week of February 2018. According to the analysis done by security researchers, XiaoBa ransomware seems to be combined with a Chinese ad-supported program or adware called FlyStudio. In other words, it spreads using an adware program.
The moment XiaoBa ransomware enters a targeted machine, it will begin its search for certain file types to encrypt. It is set to encrypt files with the following extensions:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2
Using the RSA 2048 and AES 128 encryption algorithm, it encrypts files and appends the [[email protected]].XiaBa extension on each one of the files. After the encryption, XiaoBa ransomware will display its ransom note which is written in Chinese that states:
“Ooops, your important files have been encrypted!
！—— 重要加密 —— ！
你柏所有文件已被 RSA-2048 AES-128 算法進行了加密
請硕縦破解 , 因為您無 眷破解文件可能導致文壊 這可能會損害他們
只有我們的解密辦捕解密您的文件
如果您看到這個壁紙卻看不到 “XiaoBa” 窗口 , 那麼就是您的防病毒軟件
刪除了此解密軟件或葡恣從計算機中刪除了它
如果您需要您的文件I必須運行解密軟件
請找到解密軟件或從防病毒軟件隔雜區還原
運行解密軟件 , 並按照說明進行操作
請向指定地址發送約1200元人民幣=180.81$的比特幣
比特幣錢包：1GoD72v5gDyWxgPuBph7zQwvR6bFZyZnrB
想獲取更多信息請點擊桌面的 _@Explanation@_.hta
E-mail:[email protected]”
This crypto-malware demands $38 up to $180 from its victims for the decryption software. Note that this ransomware deletes the shadow volume copies of your files so it would be hard for you to recover them using the Windows Previous version feature. Nonetheless, that doesn’t mean that you should purchase the decryption software from the crooks. in fact, doing so won’t be a wise move since there really is no guarantee that the crooks will give you the decryption software once they receive the payment.
How does XiaoBa spread its malicious payload?
As mentioned early on, XiaoBa ransomware spreads using an ad-supported program called FlyStudio. Adware programs are distributed using software bundles so you have to be careful when you install these kinds of packages as it might contain the malicious payload of XiaoBa ransomware. To keep ransomware Trojans and other malware at bay, make sure that you always update both your antivirus program and system.
Obliterate XiaoBa ransomware by using the removal guide below as a reference. Follow each step carefully for a successful removal of the crypto-malware.
Step 1: Close Xiaoba’s ransom note displayed on your screen.
Step 2: Launch the Task Manager by simply tapping Ctrl + Shift + Esc keys on your keyboard.
Step 3: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to XiaoBa ransomware.

Step 4: After that, close the Task Manager.
Step 5: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 6: Under the list of installed programs, look for XiaoBa ransomware or anything similar and then uninstall it.

Step 7: Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step 8: Navigate to the following locations below and look for XiaoBa ransomware’s malicious components such as _@XiaoBa@_.bmp, _@Explanation@_.htaa and xiaoba.exe, pdf_20180118.exe and other suspicious files, then delete all of them.

%TEMP%
%WINDIR%\System32\Tasks
%APPDATA%\Microsoft\Windows\Templates\
%USERPROFILE%\Downloads
%USERPROFILE%\Desktop

Step 9: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 10: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 11: Navigate to the following path:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

Step 12: Delete the registry keys and sub-keys created by XiaoBa ransomware.
Step 13: Close the Registry Editor and empty the Recycle Bin.
It is important to make sure that nothing is left behind and that XiaoBa ransomware is completely wiped out from your system. To do that, use the following antivirus program.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

Turn on your computer. If it’s already on, you have to reboot
After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
Windows will now load the Safe Mode with Networking.
Press and hold both R key and Windows key.

If done correctly, the Windows Run Box will show up.
Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.