Ramachandra Virus Removal. Decrypt .xtbl Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Ramachandra Virus Removal. Decrypt .xtbl Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Ramachandra7@india.com is the full name of this crypto-virus. The name comes from the email that is left for contacting the makers of the virus. It can safely be called an XTBL ransomware because it is part of the Troldesh/Shade family of ransomware and encrypts files placing the .xtbl extension to them. After encryption, the virus puts files on your desktop and swaps your wallpaper too. All these changes point to instructions for contacting the extortionists. Only an email is left as a way to contact them and possibly negotiate a price for decryption. To remove the virus and see how you might restore your files, you should read the article in full.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware encrypts files with an extension ending in Ramachandra7@india.com.xtbl and leaves an email address as contacting the criminals to negotiate a price for decryption.
SymptomsThe ransomware will put a new image as your desktop background with instructions which lead to an email address as a contact.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Ramachandra7@india.com


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ramachandra7@india.com.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ramachandra Virus – Delivery

The Ramachandra7@india.com virus possibly has a few ways of delivery. Targeted attacks or spam emails may be the most frequent ways of delivering the malware. A spam email like that consists of a short message with the notion that you have important files to look at from the attachments which come with the letter. Such an attachment might seem normal, but if you make the mistake of opening it, the file drops the payload for the ransomware which infects your PC. Beware of such scams while browsing the Web and looking over emails, especially if they have files attached.

Social media services and sites for file-sharing are two other ways of delivery for the Ramachandra7@india.com virus. The payload file containing a malicious script wrapped as an executable could be spread on the networks mentioned above, presented as something needed. The advice you should follow for preventing ransomware from infecting your computer is to avoid dubious emails, files, and links. Before opening files, check their size, signatures and possibly scan them with a security program. You can read about more tips for preventing ransomware infections in our forum.

Ramachandra Virus – Description

The Ramachandra7@india.com virus is an XTBL ransomware, part of the Shade/Troldesh ransomware family. This type of ransomware viruses is known to encrypt files and appending a long extension with the email used for contact and placing the .xtbl at the end. That is the reason why security researchers label it as an XTBL ransomware.

Thevirus bears the name of the email which its creator left as a contact detail – Ramachandra7@india.com.

The virus creates an executable file and probably a registry entry as well, to keep the executable perseverant and to start with every boot of Windows. The ransomware also makes at least two instruction files, which remain hidden until the encryption process is finished. Then, the virus will encrypt data found on your disk drives and external storage devices if you have any connected.

When the encryption completes, you will see your wallpaper changed, and the picture is on your desktop along with a text file. Both files have the name How to decrypt your files. The wallpaper looks like the following:


The text on that image reads:

Your files are encrypted
During the restoration, please mail
Note! Attempt self-recovery can destroy files

The .txt file looks like this:


The Ramachandra7@india.com virus has no set price for the decryption of your files, nor a deadline is set for payment. The ransomware just points to an email for contact in the instruction files.

Do NOT contact the people who created the Ramachandra7@india.com email address, trying to talk with them about decryption. You might not get your files back, and funding crooks will only support their criminal acts. As Ramachandra7@india.com is a variant from the Shade/Troldesh family of ransomware, a way exists which can help you recover your files. Kaspersky researchers have developed a decryptor tool, and you can see more information about it in the guide below this article.

The Ramachandra7@india.com ransomware encrypts lots of file types. The virus searches to encrypt files which have the following file extensions:


→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

Encrypted files will all have the same extension appended to them – .id-[random eight symbols]-Ramachandra7@india.com.xtbl.

Afterward, the ransomware could some data to a remote location:

  • Trojan ID
  • Compromised computer ID
  • Host name
  • Email address used by the Trojan
  • Number of encrypted document, archive, database, and image files
  • Total number of encrypted files

The Ramachandra7@india.com ransomware probably deletes the Shadow Volume Copies from the Windows Operating System. Read below to learn how you may decrypt your files.

Remove Ramachandra Virus and Restore .xtbl Files

If your computer got infected with the Ramachandra7@india.com ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible, before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by Ramachandra7@india.com.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share