NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware. It uses a mix of RSA and AES-256 to encrypt your files. Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!. In addition, the ransomware will create one of the following ransom notes.
Portugese version used by the *.maktub variant using the file name "Recupere seus arquivos. Leia-me!.txt":
Olá, seus arquivos foram criptografados.
Caso haja interesse em recuperar seus arquivos, entre em contato pelo seguinte email: [email protected]
A única forma de tê-los de volta, é atraves de um software juntamente com sua chave privada.
No campo do email, me envie sua chave pública que está logo abaixo.
Te responderei o mais rápido possível e lhe darei a garantia de recuperação dos arquivos.
Chave pública: CC638AF6DE4D9B9998E74D00252862E512277575BA644D28D9320952F2C2193A
English version used by the *.__AiraCropEncrypted! variant using the file name "How to decrypt your files.txt":
All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files
For information on how to reverse the file encryption
send email to:
enter your KEY in the subject or email body.
Remember your email is not answered within 24 hours,
visit one of the link below to get a new mail contact
To access the alternate link is mandatory to use the TOR browser available on the link
Keep in mind that due to the complexity of the used encryption scheme, decrypting files can be very time-consuming. In addition, due to the fact that the ransomware doesn't leave anything behind, that would allow verification that the file was decrypted properly, the decrypter tries to guess whether or not the file has been decrypted properly. This guessing process can be prone to error and may not work correctly. It also means, that if the decrypter does not know the file format, it will also be unable to decrypt it reliably. At the moment the decrypter supports over 3000 different binary file formats, but especially text-based formats, that lack a unique identifier in the first 16 bytes of the file, will not be recognised.