Malevich Virus Remove and Restore .XTBL Files - How to, Technology and PC Security Forum |

Malevich Virus Remove and Restore .XTBL Files

malicious-threat-sensorstechforumA ransomware virus that is a part of the XTBL/CrySiS malware group has been reported to infect users. Dubbed Malevich, the virus may use a powerful AES-128 encryption algorithm to encode the files of the infected computers asking the users of those computers to pay a hefty fee to gain access back to their files. Everyone who has become a victim of the Malevich ransomware virus should read this article to get familiar with methods of removing it from any infected computers and alternative ways to restore the encrypted files.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Short DescriptionThe ransomware encrypts files with the AES-128 cipher and ask a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Malevich


Malware Removal Tool

User ExperienceJoin our forum to Discuss Malevich Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Malevich Ransomware – Distribution

For it to be widespread, the creators of Malevich ransomware may use a variety of tools and strategies to make a successful infection:

  • Malware obfuscation software to hide the malicious files of Malevich ransomware from any protection and real-time shields.
  • File joiners to embed the virus in Microsoft Office documents’ macros or other types of files.
  • Spam bots or other spamming services to spread the virus via malicious e-mails and malicious URLs all over the web.
  • Online domains and hosting services by third-parties for the C&C servers of the virus.

These tools in combination may be used with the malicious executable of Malevich ransomware to spread it in social media, chat services, as comments or replies on websites and other places as well. It may also be featured as a file attachment in spam e-mail messages that make it appear as if it as a legitimate document.

Malevich Ransomware – What Does It Do?

One particular activity this virus is involved in, is that it may connect to the command and control servers of the cyber-criminals and send information about:

  • The version of the operating system of the victim’s computer.
  • The security software installed.
  • State of the network connection and settings.
  • The IP addressing and regions of the affected computer.

This information may be used by the cyber-criminals to drop the malicious files belonging to Malevich ransomware on the compromised computer. The malicious files that have been dropped may be located in several different locations, for instance:


The Malevich virus may also drop files in the startup folder of Windows which is:

→ C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – for the current user
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup – for all users

The files that are dropped may be the ransom note files, that could be the following types:

→ .hta, .html, .txt, .bmp, .jpg, .bmp

In addition to them, a malicious .exe file may also be dropped in the %Startup% directory to run on Windows boot. This is typical for most Troldesh, Shade variants and this executable is usually the one pre-programmed to encrypt files with the following file extensions:

→ .odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

After the files have been encrypted, the Malevich ransomware uses it’s own distinctive file extension that includes:

  • Unique 7 digit identification.
  • The e-mail address to contact the cyber-criminals.
  • The .xtbl or .CrySiS file extension.

After encryption, the Malevich Ransomware may display it’s ransom note every time Windows boots up and encrypt files that are newly added.

Malevich Ransomware – Remove It and Restore Your Files

To remove the Malevich virus completely from your computer, it is advisable to follow the instructions illustrated below. They are created so you won’t have to take your computer to a professional expert and pay money for the removal of the Malevich virus. In case you are having trouble in manually removing this virus, experts strongly recommend using an advanced anti-malware program that will automatically take care of this ransomware from your computer.

In addition to this, in case you are looking for a method to restore your files, we urge you to be patient since malware researchers are currently working on a decrypter. In the meantime, you may want to try the alternative file restoration methods from the steps below.

Manually delete Malevich from your computer

Note! Substantial notification about the Malevich threat: Manual removal of Malevich requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Malevich files and objects
2.Find malicious files created by Malevich on your PC
3.Fix registry entries created by Malevich on your PC

Automatically remove Malevich by downloading an advanced anti-malware program

1. Remove Malevich with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Malevich in the future
3. Restore files encrypted by Malevich
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.