Remover Crysis XTBL ransomware e restauração .xtbl arquivos criptografados - Como, Tecnologia e Fórum de Segurança PC |

Remover Crysis XTBL ransomware e restauração .xtbl arquivos criptografados

-Crysis-ransomware-sensorstechforum principalA família de vírus ransomware Crysis é capaz de arquivos codificar em diferentes discos, bem como dispositivos externos. O vírus usa uma combinação extremamente poderosa de três cifras para criptografar dados - AES, RSA key to lock the AES decryption code and something, known as CBC mode which is explained in detail below. The ransomware adds the e-mail on which users can contact the cyber-criminals to conduct the payoff. This Crysis virus is known to have at least 4 variants, driving us to believe that it may be a part of a RaaS (Ransomware-as-a-service) esquema.

Resumo ameaça

Pequena descriçãoThe ransomware encrypts files with the AES, RSA and CBC-mode mechanisms and requests the sum of around 400 para 900 euros from the user to grant access back to the files.
Os sintomasAfter encryption the ransomware steals login passwords and adds the .xtbl extension after every file.
distribuição MétodoOs e-mails de spam, Anexos de e-mail, Redes de compartilhamento de arquivos.
Ferramenta de detecção See If Your System Has Been Affected by Crysis


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso fórum para Discuss Guardware Ransomware.

How Is Crysis Distributed Over The Web

To be successfully widespread, Crysis Ransomware variants use spam e-mail campaigns that directly contain malicious files, with masked file extensions. The files may be pretending to be Microsoft Office (Palavra, sobressair, Power Point) documentos, arquivos PDF, setups of different programs or other legitimate records. Além disso, they may be archived in a .RAR or .ZIP file extension to avoid detection by the protection of the e-mail service providers. Examples of how malicious files by Crysis may look like is the following:

  • Confirmation Letter.docx.exe file with a Microsoft Word Icon
  • Invoice.pdf.exe with an Adobe Reader Icon on it.

Crysis XTBL Ransomware In Detail

This family of ransomware is reported to have several versions and variants. They can be identified by the method for file decryption, more specifically that there are 5 different names of the encoded XTBL files:

  • {cyber-criminal`s email}.ext
  • {ID ÚNICO}.{cyber-criminal`s email}.ext
  • {ID ÚNICO}.{cyber-criminal`s email}.xtbl
  • {cyber-criminal`s email}.xtbl

After the malicious files by Crysis have been executed, it looks for around 190 types of files on the compromised computer and encrypts them. The most affected files by the ransomware are believed by researchers to contain the following file extensions:


Não apenas isso, but Crysis also looks for removable drives, such as USB, Memory Cards, external HDD`s, external SSDs and others.

Para criptografar os arquivos, Crysis uses three types of ciphers:

AES-256 (Advanced Encryption Standard)
This encryption algorithm is used to directly encrypt the files and is classified as a Suite.B encryption, and it is used by the NSA to encrypt some secret files. Its direct decryption may take years even If tried by a very powerful machine.

This encryption mechanism has relatively the same strength as the AES, depending on how many bits it is. It may be used to encrypt the private decryption key generated after encrypting all the files with the AES encryption.

CBC (Cipher Block encadeamento)-modo
This mode of encoding is particularly effective when used in combination with AES encryption. It is the main reason why this ransomware is so dangerous for direct decryption. It uses modes, known as Initialization Vector (IV) and a chaining mechanism to additionally scramble the cipher text, separating it in blocks which have a specific order. This mechanism is like a fail-safe to the cyber-criminals. When the user tries to directly decrypt the files and somehow rearranges these blocks, the files becomes corrupted and permanently non-decryptable.

After decryption, the Crysis ransomware virus also deletes the shadow volume copies and other backups of the infected computer. This can be done by executing the following command in Windows:

→ vssadmin sombras apagar / for ={VOLUME OF THE PC} /all /quiet

Após isso foi feito, the virus connects to the server of the Cyber-Criminals and sends the name if the infected computer as well as several infected files. In several Windows versions, it also attempts to start as an administrator and continues to increase its list of encrypted files.

Além disso, Crysis comes with an info stealer, which collects sensitive information from the infected computer:

  • Messenger logs.
  • senhas.
  • Information on different software that is installed and other program data.
  • Web camera logs and information.

All of the information collected is naturally sent to the address of the cyber-criminals, and after encryption is complete, the ransomware creates these two files on the already infected computer:

  • How to decrypt your files.txt
  • DECRYPT.jpg

Both the files contain different ransom instructions. The wallpapers set has been reported by researchers few of the variants to be the following:

Regarding decryption fee, Crysis variants wants users to send from around 400 para 900 euros. The cyber criminals provide instructions on how to send the money by converting it to BitCoins. The e-mail addresses associated with this ransomware were reported by to be the following:

Some of the e-mails are met with other Ransomware variats, gostar Redshitline e EcoVector ransomware variants.

Crysis XTBL Ransomware – Conclusion, Remoção, e File Restauração Alternativas

em breve, this ransomware is one of the most serious viruses we have seen so far, especially because of the Cipher Block Chaining mode being used, which makes decryption of files very very risky. The ransomware’s spread is reported to be very high, which means that users should install an advanced anti-malware program that will protect them and their files against Crysis.

To remove Crysis effectively, we advise you to use an advanced anti-malware program. Of course you may try manual removal, but the automatic solution is the best since Crysis has many variants and they may have different files and registry keys created on the infected computer.

Since direct decryption is impossible at this point, users may try other methods to restore the files, which safely enough go around direct decryption. Such methods may be found in step “3. Restore Files Encrypted by Crysis” abaixo. Be advised that if you are willing to invest the time and money in these alternative methods, you do not get a 100% guarantee that these methods will work. But they are the best alternative solution there is so far.


Ventsislav Krastev

Ventsislav tem vindo a cobrir o mais recente de malware, desenvolvimentos de software e mais recente tecnologia em SensorsTechForum para 3 anos. Ele começou como um administrador de rede. Formado marketing bem, Ventsislav também tem paixão pela descoberta de novas mudanças e inovações em cibersegurança que se tornam mudanças do jogo. Depois de estudar Gestão da Cadeia de Valor e, em seguida, Administração de Rede, ele encontrou sua paixão dentro cybersecrurity e é um crente forte na educação básica de cada usuário para a segurança on-line.

mais Posts - Local na rede Internet

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar