Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Systemdown@india.com Virus Remove and Restore .Xtbl Files

shutterstock_240798115Yet another ransomware virus has appeared, belonging to the notorious .XTBL ransomware variants. The malware has been the reason for report that it aims to encrypt the files of affected users. It may use AES encryption to encode the files of the user, RSA cipher to encode the AES decryption key and CBC-mode as a defensive measure. Users who have been infected by Systemdown@india.com ransomware are strongly advise to follow the step-by-step ransom instructions outlined in this article to remove this virus successfully. If you want to restore your files, we also advise attempting to use some of the file restoration methods in this report as well until a decryption becomes publicly available for free.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Systemdown@india.com Virus
Type Ransomware
Short Description A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
Symptoms After encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Systemdown@india.com Virus


Malware Removal Tool

User Experience Join our forum to Discuss Systemdown@india.com Ransomware.

How Is Systemdown@india.com Spread?

To infect a high amount of users, the Systemdown@india.com ransomware may be included in a spam campaign that aims to spead phishing e-mails that imitate legitimate companies, like PayPal, banking institutions, etc. Such e-mail messages might have topics that are focused on persuading users that their bank accounts are suspended and others.

The main end goal for cyber-criminals is for users to either click on a malicious URL featured in the body of those e-mails or even an e-mail attachment of files, pretending to be:

  • Microsoft Excel Documents.
  • Microsoft Word Documents.
  • Adobe Reader Files.
  • Archives and photos.

As soon as users click on such links or attachments, the payload may be downloaded via a request from the C&C servers of the cyber-criminals.

Systemdown@india.com In Detail

After having infected the user, the Systemdown@india.com virus may drop it’s payload onto several different folders on the infected Windows machine:

→ C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

The virus targets the %Startup% folder very specifically because it allows it to be automatically executed on System Startup.

Systemdown@india.com Ransomware is also believed to delete the volume shadow copies of the computers which it infects. This may happen by executing an administrative command, called vssadmin:

→vssadmin delete shadows /all /quiet

When it begins to encrypt user files, Systemdown@india.com crypto malware may look for the most widely used type of files, primarily associated with:

  • Videos.
  • Image files.
  • Audio files.
  • Database files.
  • Files that are associated with programs often used, like Microsoft Office files, for example.

After encryption, the affected files are appended the .XTBL file extension, a unique identification number, and the contact e-mail, similar to other XTBL ransomware variants. An encrypted file by the Systemdown@india.com virus looks like the following:


Remove Systemdown@india.com Ransomware and Restore .XTBL Encrypted Files

To successfully delete this ransomware from your computer, malware researchers strongly advise using instructions like the ones below, since they are arranged methodologically correct and will help you get rid of this virus. In case you are experiencing difficulties and doubts that you will manually remove Systemdown@india.com ransomware, malware researchers advise using an advanced anti-malware program that will automatically scan for and remove the Systemdown@india.com threat.

To restore your files, we advise waiting for a direct decryptor being released in public instead of having to pay ransom money to cyber-criminals to restore your files. We also recommend following this blog since we are going to post an update as soon as decryption is available for free. Do not be tempted to attempt direct file-recovery because the Cipher Block Chaining (CBC) mode in this virus may break your files. In the meantime, you may try some of the alternative methods we suggested in step “3. Restore files encrypted by Systemdown@india.com Virus.”

Manually delete Systemdown@india.com Virus from your computer

Note! Substantial notification about the Systemdown@india.com Virus threat: Manual removal of Systemdown@india.com Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Systemdown@india.com Virus files and objects
2.Find malicious files created by Systemdown@india.com Virus on your PC
3.Fix registry entries created by Systemdown@india.com Virus on your PC

Automatically remove Systemdown@india.com Virus by downloading an advanced anti-malware program

1. Remove Systemdown@india.com Virus with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Systemdown@india.com Virus in the future
3. Restore files encrypted by Systemdown@india.com Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.