Ransomware Research
XiaoBa Ransomware
XiaoBa is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on October 1, 2017, this ransomware has been actively targeting systems worldwide.
Quick Facts
- Ransomware Family
- XiaoBa
- First Seen
- October 1, 2017
How XiaoBa Ransomware Works
Targeted Files
https://app.any.run/tasks/be175d21-80b1-4e1c-bda0-0e6bfa9b2c78/
File Encryption Patterns
XiaoBa modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..Encrypted[BaYuCheng@yeah.net].XiaBa
..[BaYuCheng@yeah.net].china
..AdolfHitler
./\.XiaoBa[0-9]{1,2}$/
Ransom Note and Payment Demands
After encrypting files, XiaoBa displays ransom notes demanding payment for file recovery:
_XiaoBa_Info_.hta
_@Explanation@_.hta
Ransom message:
notes/_@Explanation@_.hta
Ransom message:
notes/_@XiaoBa@_.png
Note locations:
Desktop
Ransom message:
notes/_XiaoBa_.png
Note locations:
Desktop
Ransom message:
notes/# # DECRYPT MY FILE # #.png
Note locations:
Desktop
ReadMe.hta
Ransom message:
notes/ReadMe.hta
Note locations:
RootDiscs
Desktop
_Help_.hta
Ransom message:
notes/_Help_.hta
Note locations:
RootDiscs
Desktop
Ransom message:
notes/note.txt
Note locations:
OnceOnCompletion
Technical Indicators
Associated Executable Files
The following executable files are associated with XiaoBa ransomware:
1.exe
xiaoba.exe
Screenlocker.exe
#FlyStudio #ransomware
XiaoBa.exe
Game installer.exe
病名は愛だつた病毒.exe
病名は愛だった.exe
ϐۤä.exe
XiaoBa ransomware
pdf_20180118.exe
New Folder.exe
xiaozhan-hu.exe
XiaoZhan-HU.exe
XiaoZhan-HU.bat
xIsZtPeYtR.exe
Uninstaller 29.0
FlashUtil.exe
install_flash_player.exe
sample.exe
Elastio Can Help You
Don't let XiaoBa ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This XiaoBa ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like XiaoBa.
Last updated: July 30, 2025