Cyber_Baba Virus Remove and Restore .XTBL Files - How to, Technology and PC Security Forum |

Cyber_Baba Virus Remove and Restore .XTBL Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cyber_baba-ransowmare-sensorstechforumA crypto-virus, known by the e-mail and also known as CPYPAURA variant at TrendMicro’s threat encyclopedia, has been reported to have a high level of infections. The virus encrypts the files of users who have been infected by it, making them no longer openable. After the encryption process has been completed, Cyber_Baba also performs several other activities on compromised machines. One of those activities is to drop a ransom note notifying users their computers have been infected and asking a ransom payoff to decrypt the files.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” as a wallpaper and a text file and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension typical to the most .XTBL variants has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cyber_Baba


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cyber_Baba Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cyber_Baba Virus – Distribution

The virus is reported by malware researchers to be dropped as a result of an infection by other malware, like a Trojan.Downloader, for instance. In addition to this, the Cyber_Baba virus may also be uploaded on suspicious URLs that may cause an infection via a drive-by-download without the user noticing it.

Cyber_Baba Ransomware In Detail

As soon as it has infected users, the Cyber_Baba virus’s payload may be dropped as a .exe file in the following location:

%System%\{cyber_baba’s malicious payload}.exe

This is the Windows’s default folder, meaning that it is located in C\Windows\ folder. This is the essential folder for Windows, and the ransomware situates it’s primary file there as a concealment measure.

Them, the virus also drops ransom note files in the following locations:

C:\Users\{User’s Profile}\My Documents\wp.jpg
C:\Users\{User’s Profile}\Desktop\How to decrypt your files.txt

The Cyber_Baba virus also modifies the Run registry key to make it’s malicious executable run on system startup. But this is not all. The virus also changes the wallpaper by modifying the Desktop Wallpaper key as well. Here are the modifications performed by Cyber_Baba ransomware:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Cyber_Baba’s Payload file} = “%System%\{Cyber_Baba’s Payload file}.exe”
HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper
(Default) = “%My Documents%\wp.jpg”

After this has been done, the wallpaper is changed with the following message:


In addition to this, the Cyber_Baba ransomware also connects remotely to .cc domains with random names to send different information, like security software installed, system name, user name, OS version and other.

When it begins to encrypt files, the Cyber_Baba virus looks for a very wide variety of file extensions to encrypt:

File Extensions Encrypted by Cyber_Baba

The Cyber_Baba ransomware may use a strong AES encryption algorithm to encrypt the files of affected users. Files, encrypted by this ransomware are also reported to have the usual file extension for most .XTBL ransomware variants:


In addition to this, the virus also deletes the volume shadow copies of the affected computer as a bonus, using a privileged administrative command in Windows Command Prompt:

→ vssadmin delete shadows /all /quiet

Cyber_Baba Virus – Conclusion, Remove it and Restore the XTBL Files

This virus, is believed to be a part of the many .XTBL ransomware variants. Researchers believe that this is a huge network of virus variants that is most likely users in a big RaaS (Ransomware as a service) scheme allowing the operator to create his own version of the ransomware. Other viruses from the Cyber_Baba family are the following:

Radxlove7 Ransomware.
SystemDown Ransomware.
Makdonalds Ransomware.
Meldonii Ransomware.
Grand_car Ransomware.
DrugVokrug727 Ransowmare.
Veracrypt Ransomware.
Da_Vinci_Code Ransomware.
Better_Call_Saul Ransomware.

To remove this virus from your computer, we strongly advise you to follow the removal instructions which are created for the deletion of Cyber_Baba ransomware below. Not only this, but the best method to get rid of Cyber_Baba is by using an advanced anti-malware software. This is because such software may discover any other files related to this malware and delete them while providing protection from other malware as well.

In case you are looking for methods that will help to restore your encrypted files, unfortunately, there is no direct decryption unless you pay the ransom money. However, researchers advise against that because a decryptor may be released for this virus in the future and paying it is no guarantee you will get your files back. In the meantime, while you wait for such, we have provided several alternative solutions that will assist you in trying to recover the files. These methods are illustrated in step “3. Restore files encrypted by Cyber_Baba” below. They may not be 100% effective, but they may work in some particular situations.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share