Table of Contents
    Home / Definitions / XiaoBa Ransomware
    Security 4 min read

    XiaoBa is a type of file-encrypting ransomware that runs on Windows and encodes victims’ files using RSA and AES algorithms. After successfully encoding the files, the virus appends filenames with the extensions .XiaoBa1 to .XiaoBa34. Victims cannot open the encrypted files due to the appended file extensions, and they need to pay a ransom to get their files decrypted. 

    What Is XiaoBa Ransomware?

    XiaoBa ransomware originated in 2017 and was first discovered by MalwareHunter Team. It’s mainly distributed through spam emails, fake updates, and more. Cybercriminals released four different versions of XiaoBa ransomware:


    The first version, named XiaoBa, was released in October 2017. It’s distributed via spam emails and attachments. When a user opens the attachment, the virus gets downloaded and executed. Following the encryption, XiaoBa creates two files: .hta and .bmp. These files contain pop-up messages that demand a ransom to decrypt the files.


    FlyStudio is a variant of XiaoBa that was released one month later in November 2017. Although it’s not as dangerous as WannaCry ransomware, FlyStudio can delete Shadow Volume Copies and disable the system’s repair function. FlyStudio victims are asked to pay a ransom in BTC to decrypt the files.

    .Encrypted[[email protected]]XiaBa

    This version of XiaoBa was released at the end of February 2018. In .Encrypted[[email protected]]XiaBa, the virus appends the encrypted files with its extension and creates a pop-up window of the .hta file that demands a ransom for decrypting files.

    .[[email protected]].china

    The latest variant was released in early May 2018. The virus is similar to all other variants of XiaoBa except that it includes the country name, China, in its file extension. 

    Who Is Impacted by the Attack?

    The first two variants of XiaoBa mainly targeted Chinese users, whereas the last two versions expanded the target base to Japanese-speaking and English-speaking users. Although it has not been distributed through a mass campaign, XiaoBa ransomware attacks continue into the present day.

    How Do XiaoBa Attacks Work?

    XiaoBa ransomware infiltrates systems through spam emails, fake updates, torrent websites, malicious ads, and infected installers. All these methods are designed to trick users into downloading and installing the virus. After successful installation, XiaoBa encrypts all the executable files using strong RSA and AES algorithms and appends them with the extensions .XiaoBa1 to .XiaoBa34, .Encrypted[[email protected]].XiaBa, and .[[email protected]].china. 

    Victims are not able to open the encrypted files unless they make the requested ransom payment that shows up in the pop-up from attackers.

    How Should Victims Respond to XiaoBa Attacks?

    Victims infected by XiaoBa ransomware are guided to remove the virus from their system as soon as possible instead of following the hackers’ instructions. Rebooting the system may help to get rid of the virus entirely, and launching security tools like Intego and Malwarebytes can help to prevent further attacks. XiaoBa victims should try to retrieve their encrypted files either from the backup or wait for the release of XiaoBa decryption tools.

    How Can Users Prevent Xiaoba-Like Attacks?

    To prevent ransomware attacks like XiaoBa, users should be vigilant and follow these essential steps:

    Looking for a solution to prevent ransomware attacks? Learn about the Top Web Application Firewalls here.