A crypto-virus, known by the e-mail [email protected] and also known as CPYPAURA variant at TrendMicro’s threat encyclopedia, has been reported to have a high level of infections. The virus encrypts the files of users who have been infected by it, making them no longer openable. After the encryption process has been completed, Cyber_Baba also performs several other activities on compromised machines. One of those activities is to drop a ransom note notifying users their computers have been infected and asking a ransom payoff to decrypt the files.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” as a wallpaper and a text file and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension typical to the most .XTBL variants has been used.|
|Detection Tool|| See If Your System Has Been Affected by Cyber_Baba |
Malware Removal Tool
|User Experience||Join our forum to Discuss Cyber_Baba Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Cyber_Baba Virus – Distribution
The virus is reported by malware researchers to be dropped as a result of an infection by other malware, like a Trojan.Downloader, for instance. In addition to this, the Cyber_Baba virus may also be uploaded on suspicious URLs that may cause an infection via a drive-by-download without the user noticing it.
Cyber_Baba Ransomware In Detail
As soon as it has infected users, the Cyber_Baba virus’s payload may be dropped as a .exe file in the following location:
This is the Windows’s default folder, meaning that it is located in C\Windows\ folder. This is the essential folder for Windows, and the ransomware situates it’s primary file there as a concealment measure.
Them, the virus also drops ransom note files in the following locations:
The Cyber_Baba virus also modifies the Run registry key to make it’s malicious executable run on system startup. But this is not all. The virus also changes the wallpaper by modifying the Desktop Wallpaper key as well. Here are the modifications performed by Cyber_Baba ransomware:
After this has been done, the wallpaper is changed with the following message:
In addition to this, the Cyber_Baba ransomware also connects remotely to .cc domains with random names to send different information, like security software installed, system name, user name, OS version and other.
When it begins to encrypt files, the Cyber_Baba virus looks for a very wide variety of file extensions to encrypt:
The Cyber_Baba ransomware may use a strong AES encryption algorithm to encrypt the files of affected users. Files, encrypted by this ransomware are also reported to have the usual file extension for most .XTBL ransomware variants:
In addition to this, the virus also deletes the volume shadow copies of the affected computer as a bonus, using a privileged administrative command in Windows Command Prompt:
→ vssadmin delete shadows /all /quiet
Cyber_Baba Virus – Conclusion, Remove it and Restore the XTBL Files
This virus, is believed to be a part of the many .XTBL ransomware variants. Researchers believe that this is a huge network of virus variants that is most likely users in a big RaaS (Ransomware as a service) scheme allowing the operator to create his own version of the ransomware. Other viruses from the Cyber_Baba family are the following:
To remove this virus from your computer, we strongly advise you to follow the removal instructions which are created for the deletion of Cyber_Baba ransomware below. Not only this, but the best method to get rid of Cyber_Baba is by using an advanced anti-malware software. This is because such software may discover any other files related to this malware and delete them while providing protection from other malware as well.
In case you are looking for methods that will help to restore your encrypted files, unfortunately, there is no direct decryption unless you pay the ransom money. However, researchers advise against that because a decryptor may be released for this virus in the future and paying it is no guarantee you will get your files back. In the meantime, while you wait for such, we have provided several alternative solutions that will assist you in trying to recover the files. These methods are illustrated in step “3. Restore files encrypted by Cyber_Baba” below. They may not be 100% effective, but they may work in some particular situations.