Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


[email protected] Virus Remove and Restore .Xtbl Files

shutterstock_223094779A ransomware threat that is a part of the many .XTBL variants has appeared, and it has begun infecting users worldwide. It uses a strong encryption algorithm to encipher the files of its victims on system startup. The aim of this virus is to get users to contact the e-mail address [email protected] to negotiate the payoff sum to get back the files which are scrambled by this virus. In case you important documents are affected by this malware, researchers strongly advise against paying the ransom. Instead, it is recommended to read this article and learn more about how to remove [email protected] ransomware and alternative methods to restore files encrypted by it.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected]
TypeRansomware
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected]

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution Methods

The creators of [email protected] virus do not mess about when it comes to spreading this virus and infecting computers. They have realized that this is the most important part if they are going to make a profit out of your important data and have heavily concealed from antivirus programs the files dropped on your computer via malicious executables. Such executables may be used as e-mail attachments in so-called phishing e-mails that aim to resemble a legitimate company or a person with convincing statements in them that get users to open such attachments.

Not only this, but the malicious executable may be an Exploit Kit or a .js (JavaScript) file that pretends to be a legitimate Adobe .PDF document or a Microsoft Office document or any other file that may fool the inexperienced user into downloading and opening it.

[email protected] Ransomware – In-Depth View

When users open the exploit kit, it may immediately connect to a remote domain and download the payload of the [email protected] virus. Like other .XTBL ransomware viruses, it may create it’s malicious files in the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%

However, the [email protected] virus may also create copies of an .HTML and .hta files that contain it’s ransom note together with it’s malicious executable file that encrypts the files of the compromised computer. These files are reported by researchers to be dropped in the %Strartup% folders:

C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

This is done to make these files run every time you turn on or restart your Windows computer.

Regarding file encryption, [email protected] ransomware virus may attack the shadow copies and other backups and delete them using the vssadmin command, called delete shadows and executing it in administrative “quiet” mode so that the victim doesn’t suspect it.

After having begun to encode the files of users, [email protected] ransomware is focused on scanning for and detecting to encrypt widely used types of files, for example:

→“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After files that have been encrypted by [email protected] ransomware have been scrambled, the virus appends a very specific file extension to them, which includes the e-mail address, a unique identification number, and the .xtbl file extension. Encrypted files by this malware look like the following:

makdonalds@india-com-encrypted-file-xtbl-sensorstechforum

[email protected] Ransomware – Conclusion, Removal, and Restoring .XTBL Files

For it to be fully erased from your computer, we advise using the instructions below, instead of bringing your computer to an expert who will overcharge you. They are methodologically arranged to assist with the proper deletion. However, in case you believe no all files associated with [email protected] ransomware have been removed from your computer, malware researchers recommend using an advanced anti-malware software that will surely and swiftly take care of this threat.

If you are looking forward to reverting your files back to normal, it is advisable to avoid using direct decryption, since this procedure may break your files, because [email protected] may have defensive mechanisms. This is why we suggest avoiding it and trying some other methods from step “3. Restore files encrypted by [email protected] Ransomware” to restore your data. The methods there may not be 100% effective, but if you are in luck, you may restore a portion of your missing data.

Manually delete [email protected] from your computer

Note! Substantial notification about the [email protected] threat: Manual removal of [email protected] requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] files and objects
2.Find malicious files created by [email protected] on your PC
3.Fix registry entries created by [email protected] on your PC

Automatically remove [email protected] by downloading an advanced anti-malware program

1. Remove [email protected] with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] in the future
3. Restore files encrypted by [email protected]
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.