XiaoBa Ransomware

XiaoBa is a type of file-encrypting ransomware that runs on Windows and encodes victims’ files using RSA and AES algorithms. After successfully encoding the files, the virus appends filenames with the extensions .XiaoBa1 to .XiaoBa34. Victims cannot open the encrypted files due to the appended file extensions, and they need to pay a ransom to get their files decrypted. 

What Is XiaoBa Ransomware?

XiaoBa ransomware originated in 2017 and was first discovered by MalwareHunter Team. It’s mainly distributed through spam emails, fake updates, and more. Cybercriminals released four different versions of XiaoBa ransomware:


The first version, named XiaoBa, was released in October 2017. It’s distributed via spam emails and attachments. When a user opens the attachment, the virus gets downloaded and executed. Following the encryption, XiaoBa creates two files: .hta and .bmp. These files contain pop-up messages that demand a ransom to decrypt the files.


FlyStudio is a variant of XiaoBa that was released one month later in November 2017. Although it’s not as dangerous as WannaCry ransomware, FlyStudio can delete Shadow Volume Copies and disable the system’s repair function. FlyStudio victims are asked to pay a ransom in BTC to decrypt the files.

.Encrypted[[email protected]]XiaBa

This version of XiaoBa was released at the end of February 2018. In .Encrypted[[email protected]]XiaBa, the virus appends the encrypted files with its extension and creates a pop-up window of the .hta file that demands a ransom for decrypting files.

.[[email protected]].china

The latest variant was released in early May 2018. The virus is similar to all other variants of XiaoBa except that it includes the country name, China, in its file extension. 

Who Is Impacted by the Attack?

The first two variants of XiaoBa mainly targeted Chinese users, whereas the last two versions expanded the target base to Japanese-speaking and English-speaking users. Although it has not been distributed through a mass campaign, XiaoBa ransomware attacks continue into the present day.

How Do XiaoBa Attacks Work?

XiaoBa ransomware infiltrates systems through spam emails, fake updates, torrent websites, malicious ads, and infected installers. All these methods are designed to trick users into downloading and installing the virus. After successful installation, XiaoBa encrypts all the executable files using strong RSA and AES algorithms and appends them with the extensions .XiaoBa1 to .XiaoBa34, .Encrypted[[email protected]].XiaBa, and .[[email protected]].china. 

Victims are not able to open the encrypted files unless they make the requested ransom payment that shows up in the pop-up from attackers.

How Should Victims Respond to XiaoBa Attacks?

Victims infected by XiaoBa ransomware are guided to remove the virus from their system as soon as possible instead of following the hackers’ instructions. Rebooting the system may help to get rid of the virus entirely, and launching security tools like Intego and Malwarebytes can help to prevent further attacks. XiaoBa victims should try to retrieve their encrypted files either from the backup or wait for the release of XiaoBa decryption tools.

How Can Users Prevent Xiaoba-Like Attacks?

To prevent ransomware attacks like XiaoBa, users should be vigilant and follow these essential steps:

Looking for a solution to prevent ransomware attacks? Learn about the Top Web Application Firewalls here.

Siji Roy
Siji Roy
Siji Roy specializes in technology, finance, and content marketing. She helps organizations to communicate with their target audience. She received her Master’s degree in Communication and Journalism from the University of Calicut, India. She is fortunate to be married to a lovely person and blessed with three naughty boys.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles

REvil Ransomware

REvil was a Ransomware-as-a-service (RaaS) ransomware attack that affected a number of larger corporations and famous individuals. Read this article to learn more about...


WannaCry was one of the most damaging malware attacks in history. On Friday, May 12, 2017, WannaCry ransomware infected computers all around the world,...

Ryuk Ransomware

The Ryuk ransomware is a strain of malware that attempts to infect and encrypt victims’ files, rendering them inaccessible to the original user. Ryuk ransomware...

AdamLocker Ransomware

AdamLocker ransomware, or RW.adm_64, is a screen-locking virus designed to prevent access to a computer system and rename the files in the infected system...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...