Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Veracrypt@india.com Virus Remove and Restore .XTBL Files

veracrypt-ransomware-malware-sensorstechforumRansomware virus belonging to the Troldesh ransomware viruses called VeraCrypt@india.com virus has been detected by ESG malware researchers to cause infections and run on system startup. Being part of the XTBL ransomware variants the Veracrypt@india.com virus is created to generate money by encrypting the files on infected computers with a strong algorithm and sending the decryption key to cyber criminals. After this it asks users to pay a certain “fee” to gain access to their files. In case you have been infected by this ransomware, we advise you to read this article and learn ways of removing it and trying to restore your files.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Veracrypt@india.com
Type Ransomware
Short Description A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
Symptoms After encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Veracrypt@india.com


Malware Removal Tool

User Experience Join our forum to Discuss Veracrypt@india.com Ransomware.

Veracrypt@india.com Ransomware – How Does It Infect?

The creators of Veracrypt@india.com Ransomware may use different strategies to infect users. They have taken into consideration that infection with malware is a bottleneck when it comes to ransomware – from it, the whole outcome of the cyber-crooks making money is dependable. This is why different strategies to replicate malicious URLs and malicious executables may be employed.

Gone are the days when cyber-criminals would directly use the malicious executable to infect a computer. Nowadays, predominantly exploit kits or JavaScript attacks are used. If an executable is dropped on the user PC, however, it may be heavily obfuscated via an obfuscation software that aims to hide it from any real-time shields of antivirus programs. Such obfuscators are usually very expensive, and cyber-criminals invest a great deal in them.

The most widely used distribution method is to replicate files using spam e-mail messages. Such messages usually contain convincing statements in them to get users to open the attachments or click on certain URLs that cause infections via drive-by downloads. This is the main reason why it is strongly advisable to check everything on your email, you believe suspicious before opening it or downloading it on your computer.

Veracrypt@india.com Ransomware – Detailed Background

As soon as Veracrypt@india.com ransomware causes an infection, it may immediately download it’s malicious executables. ESG malware researchers have reported that the virus may connect to a third-party remote host and download the file-encryption .exe object onto the %Startup% folder of the infected computer to make it run on system boot:

→%SystemDrive%\Users\{user’s profile name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{the payload file}.exe

In addition to dropping this file, the virus may also drop other support files, like a .bat file that may automatically run and delete the shadow copies and other backups on the affected computer using the following command:

→vssadmin delete shadows /all /quiet

The “/quiet” suffix is a mode which allows this ransomware to delete any file history and previous versions of files without the user noticing.

When the .exe which encrypts files is ran, it may immediately begin to scan for specific file-types to encrypt. Malware researchers believe that the Veracrypt@india.com virus may be configured to look for these specific types of files and encrypt only them:

→.jpg, .jpg2, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .pdf, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .mkv, .mov , .mp4, .mpeg, .mpg, .msg, .myd, .myi, .obj, .odb, .odc, .odm, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .p7b, .p7c, .pcx, .pdd, .pdp, .pem, .pfx, .php, .php3, .php4, .php5, .phtml, .pl, .pm, .pot, .potm, .potx, .pps, .ppsn, .prn, .pst, .ptx, .pxr, .py, .ai3, .ai4, .ai5, .ai6, .arw, .as, .ASA, .ascx, .asmx, .asp, .aspx,. asr, .avi, .bak, .bay, .bz2, .c, .cdr, .cer, .cfc, .cfn, .cfnl, .cin, .chm, .class, .config, .cpp, .crt, .cs, .css, .csv, .cub, .dae, .db, .dc3, .dcm, .der, .dic, .dif, .divx, .djvu, .dl, .dot, .dotm , .dotx, .dpx, .dqy, .dtd, .dwg, .dx, .dxf, .dsn, .dwt, .eps, .exr, .fido,. frm, .gz, .h, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .ind, .ini, .iqy, .j2c, .i2k, .java, .jp2, .jpc, .jpf, .jpx, .js, .jso, .json, .kmz, .lbi, .m4v, .mdb, .mdf, .mef , .mht, .mhtml, .r3d, .rar, .rdf, .rle , .rqy, .rss, .rw2, .rwl, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql,. srw, .ssi, .stn, .svg, .svg2, .swf, .tdi, .tga, .tld, .u3d, .udl, .uxdc, .vcs, .vda, .wbm, .wbmp, .xlk, .xlm, .xltx, .xlw, .xsd, .xsl, .xsc, .xslt, .xz, .wb2, .wim , .wmv, .zip, .3fr, .3gp, .7z

After the encryption process has been finished, the Veracrypt@india.com ads it’s trademark – a custom file extension which contains a unique ID, it’s e-mail and one of the two file extensions – .xtbl or CrySiS. These file extensions are very typical for viruses that belong to the XTBL ransomware variants family.

Encrypted files by Veracrypt@india.com ransomware look like the following:


The encryption algorithm used by the Veracrypt@india.com Ransomware may vary, however most viruses from this family either use just AES cipher to encode the files, or they use this algorithm in combination with RSA encryption of the decryption key which it generates. This is done as a security measure. After encryption, the Veracrypt@india.com Ransomware may generate post infection traffic and send the AES decryption key that is RSA encrypted to the malicious servers of the cyber-criminals.

Not only this, but the Veracrypt@india.com virus may also contain a so-called CBC (Cipher Block Chaining) mode that is particularly dangerous and may break the files if the user tires to modify them in any way, like use other decryptors to decode them, so if you have encrypted files, we suggest making copies of them straight away.

Veracrypt@india.com Ransomware – Remove It and Try To Restore Your Files

For conclusion, there are multiple ransomware variants of this virus, and this is a strong indicator that it may be available somewhere in the deep web markets. Every variant of this virus may be different, but most of them have a lot in common as well, suggesting that the Veracrypt@india.com ransomware may be created with a toolkit that allows even users that are not tech savvy to configure it according to their standards.

If you want to erase Veracrypt@india.com crypto virus from your computer, you should act fast, because this virus may have set a deadline for paying the ransom and may start performing unpleasant activities on your files as soon as this deadline expires. This is why we have created a quick and easy step-by-step tutorial after this article which you should follow. For the fastest and best results, malware researchers also advise downloading an advanced anti-malware program which will not only fully delete this virus with all its support files but will also make sure you are protected in the future as well.

To restore files that have been encoded by the Veracrypt@india.com ransomware virus, we suggest the alternative methods in step “3.Restore files encrypted by Veracrypt@india.com Ransomware” below. If you are to try directly decrypting your files using any third-party decryptor, we advise you to create copies of the encrypted files and try decrypting them from a safe PC, because this virus may damage the files if you to tamper with them.

Manually delete Veracrypt@india.com from your computer

Note! Substantial notification about the Veracrypt@india.com threat: Manual removal of Veracrypt@india.com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Veracrypt@india.com files and objects
2.Find malicious files created by Veracrypt@india.com on your PC
3.Fix registry entries created by Veracrypt@india.com on your PC

Automatically remove Veracrypt@india.com by downloading an advanced anti-malware program

1. Remove Veracrypt@india.com with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Veracrypt@india.com in the future
3. Restore files encrypted by Veracrypt@india.com
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.