Malevich Virus Remove and Restore .XTBL Files - How to, Technology and PC Security Forum |

Malevich Virus Remove and Restore .XTBL Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

malicious-threat-sensorstechforumA ransomware virus that is a part of the XTBL/CrySiS malware group has been reported to infect users. Dubbed Malevich, the virus may use a powerful AES-128 encryption algorithm to encode the files of the infected computers asking the users of those computers to pay a hefty fee to gain access back to their files. Everyone who has become a victim of the Malevich ransomware virus should read this article to get familiar with methods of removing it from any infected computers and alternative ways to restore the encrypted files.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Short DescriptionThe ransomware encrypts files with the AES-128 cipher and ask a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Malevich


Malware Removal Tool

User ExperienceJoin our forum to Discuss Malevich Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Malevich Ransomware – Distribution

For it to be widespread, the creators of Malevich ransomware may use a variety of tools and strategies to make a successful infection:

  • Malware obfuscation software to hide the malicious files of Malevich ransomware from any protection and real-time shields.
  • File joiners to embed the virus in Microsoft Office documents’ macros or other types of files.
  • Spam bots or other spamming services to spread the virus via malicious e-mails and malicious URLs all over the web.
  • Online domains and hosting services by third-parties for the C&C servers of the virus.

These tools in combination may be used with the malicious executable of Malevich ransomware to spread it in social media, chat services, as comments or replies on websites and other places as well. It may also be featured as a file attachment in spam e-mail messages that make it appear as if it as a legitimate document.

Malevich Ransomware – What Does It Do?

One particular activity this virus is involved in, is that it may connect to the command and control servers of the cyber-criminals and send information about:

  • The version of the operating system of the victim’s computer.
  • The security software installed.
  • State of the network connection and settings.
  • The IP addressing and regions of the affected computer.

This information may be used by the cyber-criminals to drop the malicious files belonging to Malevich ransomware on the compromised computer. The malicious files that have been dropped may be located in several different locations, for instance:


The Malevich virus may also drop files in the startup folder of Windows which is:

→ C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – for the current user
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup – for all users

The files that are dropped may be the ransom note files, that could be the following types:

→ .hta, .html, .txt, .bmp, .jpg, .bmp

In addition to them, a malicious .exe file may also be dropped in the %Startup% directory to run on Windows boot. This is typical for most Troldesh, Shade variants and this executable is usually the one pre-programmed to encrypt files with the following file extensions:

→ .odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

After the files have been encrypted, the Malevich ransomware uses it’s own distinctive file extension that includes:

  • Unique 7 digit identification.
  • The e-mail address to contact the cyber-criminals.
  • The .xtbl or .CrySiS file extension.

After encryption, the Malevich Ransomware may display it’s ransom note every time Windows boots up and encrypt files that are newly added.

Malevich Ransomware – Remove It and Restore Your Files

To remove the Malevich virus completely from your computer, it is advisable to follow the instructions illustrated below. They are created so you won’t have to take your computer to a professional expert and pay money for the removal of the Malevich virus. In case you are having trouble in manually removing this virus, experts strongly recommend using an advanced anti-malware program that will automatically take care of this ransomware from your computer.

In addition to this, in case you are looking for a method to restore your files, we urge you to be patient since malware researchers are currently working on a decrypter. In the meantime, you may want to try the alternative file restoration methods from the steps below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share