Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Sitaram108@india.com Virus Remove and Restore .Xtbl Files

shutterstock_152253701Malware researchers have identified a string associated with the XTBL viruses, dubbing it Sitaram108@india.com ransomware virus. It uses the .xtbl file extension and similar to other XTBL viruses may use the AES and RSA ciphers to encrypt files of affected users and then ask them to contact a specific e-mail address to restore these files. Since the cyber-criminals behind this virus are interesting in getting users to pay BitCoins as a ransom payoff, malware researchers are currently working on a decryptor for the files that can unlock them for free. For more information on how to remove Sitaram108@india.com ransomware and how to restore your files, it is strongly advisable to read this article thoroughly.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Sitaram108@india.com Ransomware
Type Ransomware
Short Description A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
Symptoms After encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Sitaram108@india.com Ransomware


Malware Removal Tool

User Experience Join our forum to Discuss Radxlove7@india.com Ransomware.

Sitaram108@india.com – How Does It Replicate

To be successfully in the systems of it’s victims, the ones who are behind Sitaram108@india.com virus may undertake spam campaigns that may redistribute an exploit kit hidden as a malicious e-mail attachment. The e-mails sent out with the virus may pretend to be legitimate e-mails sent from various institutions, like banks or online retailer stores. They may contain convincing subjects, like “Your account is closed” to get users to download and open such attachments.

In addition to this, the attachments of Sitaram108@india.com ransomware themselves may also be concealed. Cyber-criminals use exploit kits and malware obfuscators to hide these files from any security software. They may also use file joiners to make the files appear as if they were a legitimate Microsoft Excel, Adobe Reader or other documents, for instance.

Sitaram108@india.com Ransomware – Detailed Description

After having opened the malicious payload carrying file, it may connect remotely to the cyber-criminals’ command and control server only to download the actual payload without any hic-ups. As soon as it downloads it, the Sitaram108@india.com
Virus may drop the files in various Windows locations:

  • %Roaming%
  • %SystemDrive%
  • %AppData%
  • %Local%
  • %Temp%

Also, typically to the .XTBL ransomware viruses, the Sitaram108@india.com Ransomware may drop a ransom note file under .HTML and .hta file formats.

The Sitaram108@india.com virus also creates copies and shortcuts of those files in the %Startup% folder to make them run everytime Windows boots up:

→C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

When it starts encrypting the files, Sitaram108@india.com may be very choosy. It looks for most files that are widely used to encode them, making them permanently unopenable. The virus may also be configured to skip specific folders to encrypt, such as:

  • %System Drive%
  • %AppData%
  • %Windows%
  • %Temp%
  • %System32%

The Sitaram108@india.com may skip those folders for one and only purpose – to avoid crashing Windows OS while encrypting the files.

In addition to this, the Sitaram108@india.com virus may also delete all the backups of the compromised computer using the powerful vssadmin command in “quiet” mode.

After having encrypted your files, just like many other XTBL ransomware variants out there, the Sitaram108@india.com virus ads a unique identifier, it’s e-mail address, and the .xtbl file extension to encrypted files, for example:


Sitaram108@india.com Ransomware – Removal and Restoring .XTBL Files

If you wish to delete this ransomware from your computer, it is advisable not to take it to an expert. They will only overcharge you for something you can do on your own. Instead, we advise you to simply follow the instructions after this article as they are going to help you delete the malicious files associated with Sitaram108@india.com ransomware. For maximum effectiveness, malware researchers also strongly advise users to download and install an advanced anti-malware program which will surely take care of the threat and protect you in the future as well.

To try and restore your files you may attempt using the methods illustrated in step “3. Restore files encrypted by Makdonalds@india.com” ransomware below. However, we also advise you not to try direct decryption using Kaspersky’s methods because this virus may also have a defensive mechanism, called CBC (cipher block chaining) that may break the files irreversibly if you try to decode them.

Manually delete Sitaram108@india.com Ransomware from your computer

Note! Substantial notification about the Sitaram108@india.com Ransomware threat: Manual removal of Sitaram108@india.com Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Sitaram108@india.com Ransomware files and objects
2.Find malicious files created by Sitaram108@india.com Ransomware on your PC
3.Fix registry entries created by Sitaram108@india.com Ransomware on your PC

Automatically remove Sitaram108@india.com Ransomware by downloading an advanced anti-malware program

1. Remove Sitaram108@india.com Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Sitaram108@india.com Ransomware in the future
3. Restore files encrypted by Sitaram108@india.com Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.