You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!



  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile Ransomware - Assistance Topic
« on: August 24, 2016, 10:27:34 am » is the e-mail address associated with a newly discovered crypto-infection variant. So far, malware researchers believe that this virus is a part of the .XTBL ransomware variants containing the e-mail addresses as extensions.  Malekal forum researchers have also discovered the following files to be associated with this virus:

C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.txt
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{malicious payload file}.exe
C:\Windows\System32\{malicious payload file}.exe

The copies of the files in the %Startup% directory clearly indicate that ransomware runs on startup. After encrypting the files, this virus may leave them unopenable by any program with the following file extension:{unique id}

In case you have encountered file encrypted by this virus on a PC and the ransom notes opening on startup, you should immediately try to intercept any traffic that is outgoing on startup and hopefully recover the decryption key. Here are instructions on how to perform this:

Find Decryption Key of Files Encrypted by Ransomware

In case you manage to discover the key, send it to us and we will research methods to decrypt the files and hopefully decode them.

This is an open forum topic and I urge anyone who will be pariticipating to input ideas, ask questions and share experience and technical details about ransomware. We will try to respond as soon as we see your reply.