Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Cyber_Baba Virus Remove and Restore .XTBL Files

cyber_baba-ransowmare-sensorstechforumA crypto-virus, known by the e-mail [email protected] and also known as CPYPAURA variant at TrendMicro’s threat encyclopedia, has been reported to have a high level of infections. The virus encrypts the files of users who have been infected by it, making them no longer openable. After the encryption process has been completed, Cyber_Baba also performs several other activities on compromised machines. One of those activities is to drop a ransom note notifying users their computers have been infected and asking a ransom payoff to decrypt the files.

Threat Summary

Name

Cyber_Baba

Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions” as a wallpaper and a text file and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension typical to the most .XTBL variants has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cyber_Baba

Download

Malware Removal Tool

User Experience Join our forum to Discuss Cyber_Baba Ransomware.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cyber_Baba Virus – Distribution

The virus is reported by malware researchers to be dropped as a result of an infection by other malware, like a Trojan.Downloader, for instance. In addition to this, the Cyber_Baba virus may also be uploaded on suspicious URLs that may cause an infection via a drive-by-download without the user noticing it.

Cyber_Baba Ransomware In Detail

As soon as it has infected users, the Cyber_Baba virus’s payload may be dropped as a .exe file in the following location:

%System%\{cyber_baba’s malicious payload}.exe

This is the Windows’s default folder, meaning that it is located in C\Windows\ folder. This is the essential folder for Windows, and the ransomware situates it’s primary file there as a concealment measure.

Them, the virus also drops ransom note files in the following locations:

C:\Users\{User’s Profile}\My Documents\wp.jpg
C:\Users\{User’s Profile}\Desktop\How to decrypt your files.txt

The Cyber_Baba virus also modifies the Run registry key to make it’s malicious executable run on system startup. But this is not all. The virus also changes the wallpaper by modifying the Desktop Wallpaper key as well. Here are the modifications performed by Cyber_Baba ransomware:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Cyber_Baba’s Payload file} = “%System%\{Cyber_Baba’s Payload file}.exe”
HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper
(Default) = “%My Documents%\wp.jpg”


After this has been done, the wallpaper is changed with the following message:

“HELLO MY FRIEND
ALL YOUR DATA HAS BEEN CRYPTED
YOU SERVER HAS A SECURITY PROBLEM
TO GET YOUR DATA BACK AND PROTECT YOUR SYSTEM WRITE TO:
{CONTACTS}”

In addition to this, the Cyber_Baba ransomware also connects remotely to .cc domains with random names to send different information, like security software installed, system name, user name, OS version and other.

When it begins to encrypt files, the Cyber_Baba virus looks for a very wide variety of file extensions to encrypt:

File Extensions Encrypted by Cyber_Baba

The Cyber_Baba ransomware may use a strong AES encryption algorithm to encrypt the files of affected users. Files, encrypted by this ransomware are also reported to have the usual file extension for most .XTBL ransomware variants:

adobe-reader-xtbl-encrypted-file-cyber-baba-ransowmare

In addition to this, the virus also deletes the volume shadow copies of the affected computer as a bonus, using a privileged administrative command in Windows Command Prompt:

→ vssadmin delete shadows /all /quiet

Cyber_Baba Virus – Conclusion, Remove it and Restore the XTBL Files

This virus, is believed to be a part of the many .XTBL ransomware variants. Researchers believe that this is a huge network of virus variants that is most likely users in a big RaaS (Ransomware as a service) scheme allowing the operator to create his own version of the ransomware. Other viruses from the Cyber_Baba family are the following:

Radxlove7 Ransomware.
SystemDown Ransomware.
Makdonalds Ransomware.
Meldonii Ransomware.
Grand_car Ransomware.
DrugVokrug727 Ransowmare.
Veracrypt Ransomware.
Da_Vinci_Code Ransomware.
Better_Call_Saul Ransomware.

To remove this virus from your computer, we strongly advise you to follow the removal instructions which are created for the deletion of Cyber_Baba ransomware below. Not only this, but the best method to get rid of Cyber_Baba is by using an advanced anti-malware software. This is because such software may discover any other files related to this malware and delete them while providing protection from other malware as well.

In case you are looking for methods that will help to restore your encrypted files, unfortunately, there is no direct decryption unless you pay the ransom money. However, researchers advise against that because a decryptor may be released for this virus in the future and paying it is no guarantee you will get your files back. In the meantime, while you wait for such, we have provided several alternative solutions that will assist you in trying to recover the files. These methods are illustrated in step “3. Restore files encrypted by Cyber_Baba” below. They may not be 100% effective, but they may work in some particular situations.

Manually delete Cyber_Baba from your computer

Note! Substantial notification about the Cyber_Baba threat: Manual removal of Cyber_Baba requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cyber_Baba files and objects
2. Find malicious files created by Cyber_Baba on your PC
3. Fix registry entries created by Cyber_Baba on your PC

Automatically remove Cyber_Baba by downloading an advanced anti-malware program

1. Remove Cyber_Baba with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Cyber_Baba in the future
3. Restore files encrypted by Cyber_Baba

How to Find Decryption Key for Files Encrypted By Cerber 3 Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.