Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


[email protected] Virus Remove and Decrypt .XTBL Files

1Another ransomware virus belonging to the CrySiS (.XTBL) ransomware variants has been reported to encrypt user files by ESG malware researchers. The ransomware virus creates a malicious executable in the %SystemDrive% folder of Windows which is then used to encrypt a wide variety of file types on computers that have become victims of the ransomware. The [email protected] malware may then leave a ransom note which may notify users that they should either contact the e-mail address or make a ransom payoff in return for their files.

N.B: Decryptor has been released for the Shade(XTBL) ransomware variants. For more information and detailed instructions on how to decrypt your files, please check this article.

Threat Summary

Name

[email protected]

Type Ransomware
Short Description Part of the “@” ransomware variants. Encrypts the files on the infected computer then asks for ransom money in email correspondences.
Symptoms The user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution Method Via Exploit kits or downloader Trojans.
Detection Tool See If Your System Has Been Affected by [email protected]

Download

Malware Removal Tool

User Experience Join our forum to Discuss [email protected] Ransomware.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution and Infection Methods

For it to be a successful investment, the cyber-criminals who control the [email protected] virus may focus on spreading the virus as a legitimate document on e-mail attachments. In addition to this, the [email protected] virus’s malicious payload attachment may also come in an obfuscated form in order to run successfully under the noses of any security software that may be installed on the victim’s computer.

Furthermore, the topics of the e-mails that have been sent by the cyber-criminals may vary, and they may resemble messages coming from legitimate organizations, like well-known online retailers, banks and other institutions the user may have accounts in.

[email protected] Virus – More Information About It

Once it has run on the victim’s computer, the [email protected] ransomware virus may drop the following file:

%SystemDrive%\Users\backup\AppData\Roaming\Siddhi.exe

After this is done the [email protected] virus may delete the volume shadow copies of the compromised machine via a batch command in administrative mode. The command is the following:

vssadmin delete shadows /for={Drive volume} /all /quiet

In addition to this, [email protected] Ransomware may also cause several different issues on the enciphered computer, like restart it and modify the Windows Registry Editor so that the computer runs automatically every time Windows starts. The targeted registry keys for that are the following:

HKEY_LOCAL_MACHINE \Software \Microsoft\Windows\ CurrentVersion\ Run
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion\ Run
HKEY_LOCAL_MACHINE \Software \Microsoft\Windows \CurrentVersion \RunOnce
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion \RunOnce

The other method which the [email protected] virus may perform to make it’s malicious files run on system startup is dropped a shortcut or copies of the files it may run directly in the Windows startup folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

After it’s malicious executable file has been ran, the Siddhiup2 ransomware virus begins to scan for and encrypt a wide variety of file types:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps Source: ESG

To encrypt user files, the [email protected] ransomware virus may use a strong AES encryption algorithm. The AES enciphering code that has been used by it produces a decryption key after the encoding process itself has been complete. This key may be encrypted via an RSA encryption, generating a private key that is then sent to the cyber-criminals, making them the only one in power to decipher these files.

Related Article: Ransomware Encryption Explained: Why Is It So Effective?


The files that have been encrypted by [email protected] may look like the following:

encrypted-file-siddhiup2@india.com-sensorstechforum

[email protected] and Decrypt .Xtbl Encrypted Files

To remove this, virus, it is strongly advisable to use an advanced anti-malware program since it will make sure to identify all of the objects that are associated with the [email protected] threat. Another way to do this is if you follow the step-by-step removal instructions which we have posted below. They will make sure that you will remove the [email protected] permanently from your computer and protect your data from any threats of this and other types in the future as well.

To learn how to decrypt your files, please check step “3. Restore files encrypted by [email protected] below.

Manually delete [email protected] from your computer

Note! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] files and objects
2. Find malicious files created by [email protected] on your PC
3. Fix registry entries created by [email protected] on your PC

Automatically remove [email protected] by downloading an advanced anti-malware program

1. Remove [email protected] with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] in the future
3. Restore files encrypted by [email protected]
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.