Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Savepanda@india.com Virus Remove and Restore .XTBL Files

shutterstock_240798115Another virus belonging to the family of XTBL/CrySiS ransomware has emerged, infecting users massively. The malware may use a strong combination of several encryption algorithms to encode the data. It may employ different strengths of AES encryption directly on the files of an infected computer and an RSA cipher to lock the generated decryption key. This is done for the one and only purpose to extort users for payment for the decryption of their files. All victims of these viruses should not pay any ransom payoff and read this article thoroughly to learn how to restore your files and fully remove the Savepanda@india.com ransomware.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Savepanda@india.com ransomware
Type Ransomware
Short Description The ransomware encrypts files with the AES-128 cipher and ask a ransom for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Savepanda@india.com ransomware


Malware Removal Tool

User Experience Join our forum to Discuss Savepanda@india.com Ransomware.

Savepanda@india.com Ransomware – Distribution Methods

Since this is one of the many XTBL ransomware variations, cyber-criminals may employ different strategies to spread it.

One of the reported strategies used by crooks in association with this virus is known to be a brute-forcing technique to gain remote desktop control over the targeted computer.

Another technique that may be used by the creators of Savepanda@india.com Ransomware is believed to be the distributing of malicious executables via spam e-mails in the form of e-mail attachments. Such attachments may be created to appear as if they were legitimate Microsoft Office documents or Adobe Reader files.

In addition to this, malicious URLs may be posted that redirect to web links that may cause an infection of the user PC via drive-by downloads as well as malicious JavaScript or an Adobe Flash Player exploit.

Savepanda@india.com Ransomware – More Information

After the malicious executable of this virus has been situated onto your computer it may create several different files on different Windows locations:

  • %AppData%
  • %SystemDrive%
  • %Local%
  • %Roaming%

The Savepanda@india.com virus is also believed to create several malicious files onto the %Startup% folder of Windows, to make them run when the computer boots up. Those files may include:

  • The malicious file-encrypting executable or a shortcut to it. /span>
  • An .html file containing the ransom note of Savepanda@india.com virus.
  • An .hta file that may also contain the ransom note.
  • An image file again with the ransom note that may be set as a wallpaper on the affected computer.

Regarding file encryption, the Savepanda@india.com ransomware may scan for and encrypt a big variety of file types, for instance:

→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps. (Source: ESG Malware Research)

After encrypting the files, the virus may append several different file extensions, main of which may be .xtbl or .CrySiS. In addition to this, the files encrypted by this virus may also contain a unique identifier and the e-mail address Savepanda@india.com to additionally inform users they have become victims of this threat.

Finally, the Savepanda@india.com Ransomware may execute the following command to delete the volume shadow copies in Windows without the user noticing:

→vssadmin delete shadows /all /quiet

Remove Savepanda@india.com Ransomware and Restore Encrypted Files

To delete the Savepanda@india.com ransomware virus, we advise you to follow the file decryption instructions below. They are methodologically arranged to help you deal with this threat effectively. However, in case you are experiencing technical difficulties in removing Savepanda@india.com ransomware from your computer, malware researchers strongly advise using an advanced anti-malware program to automatically delete everything from your computer.

In case you want to try and restore your files, we advise you to wait until a free decrypter has been released. In the meantime, you may try to use the instructions in step “3.Restore files encrypted by Savepanda@india.com Ransomware” below.

Manually delete Savepanda@india.com ransomware from your computer

Note! Substantial notification about the Savepanda@india.com ransomware threat: Manual removal of Savepanda@india.com ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Savepanda@india.com ransomware files and objects
2.Find malicious files created by Savepanda@india.com ransomware on your PC
3.Fix registry entries created by Savepanda@india.com ransomware on your PC

Automatically remove Savepanda@india.com ransomware by downloading an advanced anti-malware program

1. Remove Savepanda@india.com ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Savepanda@india.com ransomware in the future
3. Restore files encrypted by Savepanda@india.com ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.