Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove Centurion_Legion@aol.com .XTBL Ransomware

shutterstock_152253701One of the many ransomware variants of the Shade/Troldesh family is called Centurion_Legion@aol.com. This is a recently discovered version that has started to plague computer users worldwide. It uses an advanced encryption algorithm to store most user files and folders in a protected form. The criminals then demand a ransom fee to “unlock” access to the compromised data. If you have been affected by this ransomware, we recommend that you follow these instructions to remove the ransomware and restore your files without paying the ransom.

Threat Summary


Centurion_Legion@aol.com .XTBL

Type Ransomware
Short Description A variant of the Shade/Troldesh ransomware family. This malware uses strong encryption that is employed against user data. The ransomware places a note with instructions containing information about the criminal ransom fee.
Symptoms The user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution Method Spam Emails, Email Attachment, Malicious Websites, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Centurion_Legion@aol.com .XTBL


Malware Removal Tool

User Experience Join our forum to Discuss Centurion_Legion@aol.com Ransomware.

Centurion_Legion@aol.com – How Does It Infect?

The developers of the Centurion Legion@aol.com ransomware are distributing the malware via different channels – spam email campaigns that employ phishing attacks, malicious web sites containing download links and infected devices such as flash drives and external disks.
One of the popular ways the ransomware infects victims is by forging email headers in phishing emails, these messages pose as legitimate notifications from courier companies like FedEx, DHL and USPS. These counterfeit failed delivery messages contain infected attached files or embedded links to the ransomware executables.

Ransomware of the Shade/Troldesh family is also known to infect documents via the popular Macro functionality. Users are encouraged to enable this feature when opening a malicious file upon which the ransomware executable starts.

Centurion_Legion@aol.com – Detailed Background

The ransomware affects all current versions of the Microsoft Windows operating system – Windows 7, Windows 8 (8.1) and Windows 10. The ransomware uses the AES cipher utilizing the RSA encryption method which provides a very strong countermeasure to decryption.

Upon execution the malware creates a random named executable file in the %AppData% or %LocalAppData% location. This executable is then started by the ransomware trigger. The malware then begins to scan all connected drives and encrypt the user data. Centurion_Legion@aol.com affects all commonly used file extensions, including the ones used for documents, audio and video. As with other members of the Shade/Troldesh family the victim files include those with the following extensions:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

The victim data is stored with the.centurion_legion@aol.com.xtbl extension. A ransomware note with the name “How to decrypt your files.txt” is placed in each folder with affected file and on the Windows desktop as well. Centurion_Legion also changes the background image with the “How to decrypt your files.png” file that contains the ransom fee demand. Usual sum request ranges from 0.5 to 1.5 Bitcoin. Upon execution of the ransomware, this variant additionally deletes all Shadow Volume Copies that are found on the target machine.

Centurion_Legion@aol.com Ransomware – Remove It and Try To Restore Your Files

At this moment no public decryptor tool is available for this variant of the Troldesh/Shade family. This type of ransomware uses the strong AES cipher and the RSA encryption technique – the victim needs to utilize the criminal private to restore access to their files. As the key is not posted anywhere on the Internet, there is no way of creating a decryption utility at this time. The AES cipher is one of the strongest ones that is used by various secure applications and services and brute forcing it is unrealistic.

Centurion_Legion upon execution deletes all Shadow Volume Copies available on the local computer to further complicate restoration for the victims. All users are ensured to make external safe copies of all sensitive data to avoid data loss from ransomware such as this one. We suggest that you report all criminal activity to the law enforcement agency in your country.

Manually delete Centurion_Legion@aol.com .XTBL from your computer

Note! Substantial notification about the Centurion_Legion@aol.com .XTBL threat: Manual removal of Centurion_Legion@aol.com .XTBL requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Centurion_Legion@aol.com .XTBL files and objects
2. Find malicious files created by Centurion_Legion@aol.com .XTBL on your PC
3. Fix registry entries created by Centurion_Legion@aol.com .XTBL on your PC

Automatically remove Centurion_Legion@aol.com .XTBL by downloading an advanced anti-malware program

1. Remove Centurion_Legion@aol.com .XTBL with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Centurion_Legion@aol.com .XTBL in the future
3. Restore files encrypted by Centurion_Legion@aol.com .XTBL
Optional: Using Alternative Anti-Malware Tools

Editor’s Note:

From time to time, SensorsTechForum features guest articles by cyber security and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.

Martin Beltov ( Guest Blogger)

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
TwitterGoogle Plus

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.