Xiaoba Ransomware

What is Xiaoba Ransomware?

Xiaoba Ransomware is a file-encrypting threat most likely created by Chinese hackers. Same as any other ransomware application, the program locks data that has value to the user and offers a decryption tool for a specific price to unlock it. The malware’s creators might promise to send the decryption tool soon after the victim makes the payment and contacts them, but in reality, there is not knowing whether they will actually deliver it. Therefore, those who consider such an option should think about it carefully. If you have not decided it yet, we invite you to read the rest of our report and get to know Xiaoba Ransomware better. Should you choose to remove it, we advise you to read the last paragraph carefully and take a look at the deletion instructions available just a bit below the article.

Where does Xiaoba Ransomware come from?

Xiaoba Ransomware could appear on the system after opening a harmful file you could have downloaded from the Internet. Naturally, one way to avoid such situations in the future is to keep away from untrustworthy web pages that might distribute infected installers, fake updates, and so on. Another way to guard the computer against different malicious applications and not just ransomware is to keep a legitimate antimalware tool installed. However, users should not forget to update such software whenever it is possible, because if the application gets outdated, it may not be able to protect the system properly since it can be unaware of newest threats. Thus, if you are considering getting an antimalware tool; make sure you keep it updated and active.

How does Xiaoba Ransomware work?

Firstly, Xiaoba Ransomware should lock targeted files, such as pictures, photographs, archives, etc. This data can be easily recognized from its extension because all encrypted files should have a new extension called .XiaoBa{random number from 1 to 10} (e.g., text_document.XiaoBa5). Afterward, the malicious application may change user’s Desktop wallpaper with an image providing a text that explains how to pay the malware’s creators in order to get a decryption key. Similar ransom notes might be displayed through _@Explanation@_.hta and the infection’s pop-up window you should be able to see as soon as the threat finishes encrypting your files. The malware’s window even allows picking Chinese Simplified, Chinese Traditional, or English languages. For example, the English ransom note’s version starts with “Ooops, your important files have been encrypted!” and continues explaining how to pay the ransom. Unfortunately, there is a chance you may not get the decryption key even if you do what the ransom note says. The malicious application’s developers might simply not bother to deliver it, start asking for more money, and so on.

How to erase Xiaoba Ransomware?

As promised earlier you can find instructions showing how to remove Xiaoba Ransomware manually. What’s more, we should warn users this task could be quite complicated, and if you are not sure you could handle the provided steps, it would be advisable to use a legitimate antimalware tool instead. All you would need to do is install a legitimate security tool, perform a full system scan with it and then eliminate all detected threats including the malicious application at the same time by clicking the provided deletion button.

Get rid of Xiaoba Ransomware

1. Tap Ctrl+Alt+Delete.
2. Launch Task Manager and go to Processes.
3. Search for a process related to the malicious application.
4. Mark the suspicious process and click End Task.
5. Close the Task Manager.
6. Press Win+R.
7. Insert Regedit and select Yes.
8. Locate this specific directory: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
9. Search for a value name titled XiaoBa, right-click it and press Delete.
10. Get to this directory: HKEY_CURRENT_USER\Control Panel\Desktop
11. Look for a value name titled Wallpaper, right-click it and select Modify.
12. Change its value data (C:\Windows\*.bmp) and select OK.
13. Leave Registry Editor.
14. Press Win+E.
15. Navigate to these directories:
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
    %TEMP%
16. Locate the infection’s installer, then right-click the suspicious file and press Delete.
17. Search for these directories:
    %USERPROFILE%\Desktop
    %HOMEDRIVE%
18. Locate files titled _@Explanation@_.hta and _@XiaoBa@_.bmp, right-click them and choose Delete.
19. Get to the %TEMP% directory.
20. Search for the following files:
    Chinese Simplified.txt
    Chinese Chinese Traditional.txt
    English.txt
21. Right-click these files one by one and pick Delete.
22. Get to this path: %WINDIR%
23. Search for a picture related to the malware (*.bmp), right-click it and press Delete.
24. Exit File Explorer.
25. Empty your Recycle bin
26. Restart the computer. Download Removal Tool100% FREE spyware scan and
    tested removal of Xiaoba Ransomware*