TeamXRat ransomware | Know What Is It And How Affects On Your PC

‹TeamXRat ransomware

TeamXRat ransomware Description :

TeamXRat ransomware is a newly detected Brazilian Ransomware by the malware researchers and security experts which also known as Trojan-Ransom.Win32.Xpan. This ransomware is mainly targeted the hospitals and business in Brazil. First of all cyber hacker detected this ransomware as CorporacaoXEAT which uses XOR encryption. It mainly targets computers and servers that executing Remote Desktop Services and attempt to use brute force passwords to gain the access of user PC. Once they gain access, they automatically install this ransomware on your PC and encrypts your all stored data.

After intruding into the PC, it encrypts files by appending _xratteamLucked extension at the end of filenames. Then after it leaves created a ransom note called Como descriptografar os seus arquivos.txt. The ransom text of this ransomware is written in Portuguese which contains some unknown and strange characteristics. Example of this ransom note is as follows :

With the ransom note, you will noticed that your desktop wallpaper also changes and look like this :

It ask user to email the developers of this ransomware to get the payment instructions where develops ask to pay about 1 bitcoin ransom payment. The email ID which used by the developer of this ransomware are [email protected] and [email protected]

More Details of TeamXRat ransomware

The identified sample of this ransomware and text message is written in C++ language and uses the STL format. The binary built it as a console applications. It uses AES-256 encryption algorithm in CBC mode. It has two versions that can be distinguished by observing file extensions.

  1. Version 1 – Version 1 uses 3’_’ symbols into the file extensions and generates 255 symbol password for affecting all stored files. The password is mainly encrypted with RSA-2048 algorithm and placed in the ransom note by using CryptDeriveKey API. It adds the “NMoreira” string at the beginning of the original file and encrypts it.
  2. Version 2 – Version 2 uses 4’_’ symbols into the each file extension and also generate 255-symbol password for affecting the each file. It also encrypt the original content of files and makes them inaccessible.

Distribution Method of TeamXRat ransomware

TeamXRat ransomware usually insert into the user PC manually by adding binaries on the compromised servers. It is done by performing Remote Desktop Protocol (RDP) brute force. There are lots of System vulnerabilities that can be exploited in this protocol. This protocol allow remote hackers to craft the series of malicious packages to targeted the user PC. Along with it it can spread over your PC by using several illegal means. So you should be very careful while doing any online work or performing activities.

Harmful Effects of TeamXRat ransomware

  1. Add some weird and unknown extensions at the end of the System files.
  2. Locks your all System files or folders and makes them inaccessible.
  3. TeamXRat ransomware can alters your all System and browser settings without your approval.
  4. Create a System loopholes to exploits your vulnerabilities.
  5. Injects lots of malicious infection by opens up the System backdoor.

Free Scan your Windows PC to detect TeamXRat ransomware


Remove TeamXRat ransomware From Your PC

Step 1: Remove TeamXRat ransomware in Safe Mode with Command Prompt

  • First of all disconnect your PC with network connection.
  • Click restart button and keep pressing F8 key regularly while system restart.


  • You will see “Windows Advanced Options Menu” on your computer screen.

Windows Advanced Options Menu

  • Select “Safe Mode with Command Prompt” and press Enter key.

safe mode with command promt

  • You must login your computer with Administrator account for full privilege.


  • Once the Command Prompt appears then type rstrui.exe and press Enter


  • Now follow the prompts on your screen to complete system restore.

Step 2: Remove TeamXRat ransomware using MSConfig in Safe Mode:

  • Power off your computer and restart again.
  • While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.


  • Use the arrow keys to select “Safe Mode” option and press Enter key.

Safe mode

  • Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.


  • Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

  • Disable all the malicious entries and save the changes.
  • Now restart your computer normally.

Step 3 : Kill Malicious Process Related To TeamXRat ransomware

  • Press Alt+Ctrl+Del buttons together.


  • It will open the Task manager on your screen.
  • Go to Process Tab and find TeamXRat ransomware related process.
  • Click the End Process Now button to stop the running process.

Step 4 : Remove TeamXRat ransomware Virus From Registry Entry

  • Press “Windows + R” key together to open Run Box.


  • Type “regedit” and click OK button.


  • Find and remove TeamXRat ransomware related entries.












Now hopefully you have completely removed the TeamXRat ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.

Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the TeamXRat ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.


If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.