Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove a_princ@aol.com Virus. Decrypt .xtbl Files

STF-a-princ@aol-com-ransomware-crypto-virus-xtbl-troldesh-shade-ransom-message-image

A_princ@aol.com is the name of this particular ransomware crypto-virus, because it uses that email address in its ransom message. Lots of viruses from the Troldesh/Shade ransomware family have been seen in the past couple of days. This virus will put a picture with instructions on your desktop once it finishes encrypting files. The ransomware will lock files, placing a long extension ending in .xtbl behind their original one. The virus does not give a set price for decryption but leaves a contact email only. To remove the ransomware and find out how you could restore your files, you should read the whole article.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name a_princ@aol.com
Type Ransomware, Crypto-Virus
Short Description The ransomware encrypts files with an extension ending in a_princ@aol.com.xtbl and leaves an email address as a contact for the supposed decryption of the files.
Symptoms The ransomware will place a new picture on your desktop with instructions that point to an email address as a contact.
Distribution Method Spam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by a_princ@aol.com

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss a_princ@aol.com.

A_princ@aol.com Virus – Distribution Tactics

The a_princ@aol.com ransomware may have several distribution tactics. Targeted attacks and spam email campaigns are certainly among the main ones. Spam emails usually contain a short message stating that the whole part of it or something important is in the file attached to the letter. The attachment in question could seem ordinary, but if you open it, the file will release the payload for the ransomware and infect your computer. Be on high alert while browsing through emails which seem suspicious, especially if they have attachments or download links.

Social media sites and services for file-sharing are another possible way of distribution for the a_princ@aol.com virus. The script with the payload could be inside executables or batch files, presented as useful utilities on the above-mentioned networks. A good advice to follow so you might prevent ransomware infecting your PC is to avoid emails, files or links which seem suspicious or of unknown origins. Also, before opening any files, check the signatures and sizes of files and possibly scan them with security software. You can find more tips about preventing ransomware infections from the topic in our forum.

A_princ@aol.com Virus – Detailed Overview

The a_princ@aol.com virus belongs to the Shade/Troldesh family of ransomware. These viruses are widely known to encrypt files with a long extension containing the email they use for contact and putting the .xtbl extension at the end. That is why some researchers label this as a XTBL ransomware type.

This virus is named after the email that its maker has left as a contact – a_princ@aol.com.

The ransomware will place the following file and use it as a starting point for infecting your system:

%WINDIR%\System32\Payload.exe

The virus will then create an executable file and probably create a registry entry, so it makes it run with each start of Windows. Other files that the ransomware will create are a text file and a picture with the instructions. Those files will remain hidden until your files get locked. After that, the virus encrypts files found on your disk drives and on storage devices you have connected.

Whenever the encryption process is done, you will see that your desktop background will have a new wallpaper and a text file, too. Both will have the name How to decrypt your files. This is what the wallpaper looks like:

STF-a-princ@aol-com-ransomware-crypto-virus-xtbl-troldesh-shade-ransom-message-image

The text on that image reads:

Attention!!!
To restore information email technical support
send 3 encrypted files
a_princ@aol.com

The other one is a .txt file and its contents are the following:

STF-a-princ@aol-com-ransomware-crypto-virus-troldesh-shade-how-to-decrypt-your-files-txt-file

The a_princ@aol.com virus does not give a particular price for the decryption of your data. No deadline is provided either. The ransomware maker has put only one email for contact, and that is what distinguishes this variant of the ransomware from others in the security world.

Do NOT contact the a_princ@aol.com email trying to negotiate a price for paying the ransom. Even if you do that, you may not get your data back. Funding cyber criminals will only give them more money to aid them in their criminal activity. As a_princ@aol.com is a variant of the Shade/Troldesh ransomware family, there is a way you could try to recover your files. A decryptor tool made by Kaspersky exists, and you can check it from the instructions written under this article.

The a_princ@aol.com ransomware encrypts a lot of file types. The ransomware encrypts files that have these file extensions:

STF-a-princ@aol-com-ransomware-crypto-virus-troldesh-shade-encrypted-file-xtbl

→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

After all, files get encrypted, you will see that all files will have the following extension appended to them – .id-[eight digit number]-a_princ@aol.com.xtbl.

Next, the ransomware may send some the following data to a remote location:

  • Trojan ID
  • Compromised computer ID
  • Host name
  • Email address used by the Trojan
  • Number of encrypted document, archive, database, and image files
  • Total number of encrypted files

The A_princ@aol.com ransomware might delete the Shadow Volume Copies from the Windows Operating System. Read further to learn how you might decrypt your files.

Remove A_princ@aol.com Virus and Restore .xtbl Files

If your computer is infected with the a_princ@aol.com ransomware, you should have some experience with removing viruses. You should get rid of this ransomware as fast as you can before it can spread deeper in the network you use and infect more files. You should remove the ransomware and follow the step-by-step instructions manual provided below. To see how you might try to recover your files, check the step titled 3. Restore files encrypted by a_princ@aol.com.

Manually delete a_princ@aol.com from your computer

Note! Substantial notification about the a_princ@aol.com threat: Manual removal of a_princ@aol.com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove a_princ@aol.com files and objects.
2. Find malicious files created by a_princ@aol.com on your PC.
3. Fix registry entries created by a_princ@aol.com on your PC.

Automatically remove a_princ@aol.com by downloading an advanced anti-malware program

1. Remove a_princ@aol.com with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by a_princ@aol.com in the future
3. Restore files encrypted by a_princ@aol.com
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.