Ramachandra Virus Removal. Decrypt .xtbl Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Ramachandra Virus Removal. Decrypt .xtbl Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


[email protected] is the full name of this crypto-virus. The name comes from the email that is left for contacting the makers of the virus. It can safely be called an XTBL ransomware because it is part of the Troldesh/Shade family of ransomware and encrypts files placing the .xtbl extension to them. After encryption, the virus puts files on your desktop and swaps your wallpaper too. All these changes point to instructions for contacting the extortionists. Only an email is left as a way to contact them and possibly negotiate a price for decryption. To remove the virus and see how you might restore your files, you should read the article in full.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected]
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware encrypts files with an extension ending in [email protected] and leaves an email address as contacting the criminals to negotiate a price for decryption.
SymptomsThe ransomware will put a new image as your desktop background with instructions which lead to an email address as a contact.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by [email protected]


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss [email protected]
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ramachandra Virus – Delivery

The [email protected] virus possibly has a few ways of delivery. Targeted attacks or spam emails may be the most frequent ways of delivering the malware. A spam email like that consists of a short message with the notion that you have important files to look at from the attachments which come with the letter. Such an attachment might seem normal, but if you make the mistake of opening it, the file drops the payload for the ransomware which infects your PC. Beware of such scams while browsing the Web and looking over emails, especially if they have files attached.

Social media services and sites for file-sharing are two other ways of delivery for the [email protected] virus. The payload file containing a malicious script wrapped as an executable could be spread on the networks mentioned above, presented as something needed. The advice you should follow for preventing ransomware from infecting your computer is to avoid dubious emails, files, and links. Before opening files, check their size, signatures and possibly scan them with a security program. You can read about more tips for preventing ransomware infections in our forum.

Ramachandra Virus – Description

The [email protected] virus is an XTBL ransomware, part of the Shade/Troldesh ransomware family. This type of ransomware viruses is known to encrypt files and appending a long extension with the email used for contact and placing the .xtbl at the end. That is the reason why security researchers label it as an XTBL ransomware.

Thevirus bears the name of the email which its creator left as a contact detail – [email protected].

The virus creates an executable file and probably a registry entry as well, to keep the executable perseverant and to start with every boot of Windows. The ransomware also makes at least two instruction files, which remain hidden until the encryption process is finished. Then, the virus will encrypt data found on your disk drives and external storage devices if you have any connected.

When the encryption completes, you will see your wallpaper changed, and the picture is on your desktop along with a text file. Both files have the name How to decrypt your files. The wallpaper looks like the following:


The text on that image reads:

Your files are encrypted
During the restoration, please mail
[email protected]
Note! Attempt self-recovery can destroy files

The .txt file looks like this:


The [email protected] virus has no set price for the decryption of your files, nor a deadline is set for payment. The ransomware just points to an email for contact in the instruction files.

Do NOT contact the people who created the [email protected] email address, trying to talk with them about decryption. You might not get your files back, and funding crooks will only support their criminal acts. As [email protected] is a variant from the Shade/Troldesh family of ransomware, a way exists which can help you recover your files. Kaspersky researchers have developed a decryptor tool, and you can see more information about it in the guide below this article.

The [email protected] ransomware encrypts lots of file types. The virus searches to encrypt files which have the following file extensions:


→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

Encrypted files will all have the same extension appended to them – .id-[random eight symbols][email protected].

Afterward, the ransomware could some data to a remote location:

  • Trojan ID
  • Compromised computer ID
  • Host name
  • Email address used by the Trojan
  • Number of encrypted document, archive, database, and image files
  • Total number of encrypted files

The [email protected] ransomware probably deletes the Shadow Volume Copies from the Windows Operating System. Read below to learn how you may decrypt your files.

Remove Ramachandra Virus and Restore .xtbl Files

If your computer got infected with the [email protected] ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible, before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by [email protected].

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share