A ransomware virus reported to belong to the CrySiS and .xtbl ransomware variants has been reported to encrypt user files on Windows computers with a strong military grade ciphers. The XTBL variants are usually reported to use AES, RSA, and CBC-mode to encrypt user files which are terrible news because the direct tampering with files may lead to their permanent scrambling which makes the recovery process impossible. All users infected by the [email protected] ransomware are advised to follow the step-by-step instructions in this article to remove this virus and attempt alternative methods to restore the files while we post an update with decryption if it becomes publicly available for free.
|Name||[email protected] Ransowmare|
|Short Description||A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.|
|Symptoms||After encryption the ransomware may steal information and appends .xtbl extension after every file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by [email protected] Ransowmare |
Malware Removal Tool
|User Experience||Join our forum to Discuss [email protected] Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] Ransomware – Distribution
To spread, [email protected] crypto-virus may undertake a massive spam campaign with e-mails that may resemble legitimate messages and services, like PayPal, your bank, and others. The e-mails may contain convincing topics, like claiming your account has been suspended, etc.
Another form of distributing the payload of [email protected] ransomware is to upload an exploit kit file directly as an e-mail attachment. The file may pretend to be a Microsoft Office (Word, Excel) document or a .pdf file that has important information in it, driving users to download it. From, there the infection may begin and the exploit kit may connect to the servers of cyber-crooks and download the obfuscated payload.
[email protected] Ransomware – More Information About It
Upon infection, the payload of [email protected] has been reported to be consisting of a malicious executable file and two ransom note files. Instead of modifying registry entries to run the executables on startup, the malware directly drops them onto the %Startup% folder of Windows, to make them run when you boot your PC.
These are the payload files that may be associated with the [email protected] variant:
When [email protected] ransomware has ran, the virus begins to encrypt the files of the compromised computer. It may look for several different types of widely used files, like videos, photos, documents, etc. The file extensions it may scan for to encrypt may vary, but are most often widely used ones, for example:
After encryption, the [email protected] Ransomware may add a file extension to the encrypted files. An encrypted file by this virus may look like the following:
After file encryption, the [email protected] ransomware starts displaying it’s ransom notes, asking users to contact the e-mail address in question. Malware researchers strongly advise against paying any ransom money and if you are to contact them to ask them to decrypt one file as a guarantee. Such file may then later be used for file decryption in combination with the encrypted file if a decryptor is released to the public. In the meantime, we advise removing [email protected] and trying other methods to get your files back.
Remove [email protected] Ransomware and Restore .xtbl Encrypted Files
Before attempting file decryption, we strongly urge you to remove this threat using the removal instructions posted underneath. They are focused on helping you perform the removal effectively. Furthermore, since the files in this article may not be the only ones associated with [email protected] ransomware, users are advised to use an advanced anti-malware program for better removal results.
In case you are looking for methods to restore files encrypted by [email protected] virus, we have suggested several alternative methods that you can try. They are posted in step “3. Restore files encrypted by [email protected] Ransomware” below.
IMPORTANT: If you are to try direct file decryption with Kaspersky’s tools bear in mind that this may break your files because this ransomware may have CBC-mode on the encrypted files. This is why we advise you to make copies of the encrypted files if you are to try this.