SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on August 24, 2016, 10:27:34 am

Title: Ransomware - Assistance Topic
Post by: never on August 24, 2016, 10:27:34 am is the e-mail address associated with a newly discovered crypto-infection variant. So far, malware researchers believe that this virus is a part of the .XTBL ransomware variants containing the e-mail addresses as extensions.  Malekal forum researchers have also discovered the following files to be associated with this virus:

C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.txt
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{malicious payload file}.exe
C:\Windows\System32\{malicious payload file}.exe

The copies of the files in the %Startup% directory clearly indicate that ransomware runs on startup. After encrypting the files, this virus may leave them unopenable by any program with the following file extension:{unique id}

In case you have encountered file encrypted by this virus on a PC and the ransom notes opening on startup, you should immediately try to intercept any traffic that is outgoing on startup and hopefully recover the decryption key. Here are instructions on how to perform this:

Find Decryption Key of Files Encrypted by Ransomware (

In case you manage to discover the key, send it to us and we will research methods to decrypt the files and hopefully decode them.

This is an open forum topic and I urge anyone who will be pariticipating to input ideas, ask questions and share experience and technical details about ransomware. We will try to respond as soon as we see your reply.