Remove .XTBL Ransomware - How to, Technology and PC Security Forum |

Remove [email protected] .XTBL Ransomware

shutterstock_152253701One of the many ransomware variants of the Shade/Troldesh family is called [email protected] This is a recently discovered version that has started to plague computer users worldwide. It uses an advanced encryption algorithm to store most user files and folders in a protected form. The criminals then demand a ransom fee to “unlock” access to the compromised data. If you have been affected by this ransomware, we recommend that you follow these instructions to remove the ransomware and restore your files without paying the ransom.

Threat Summary


[email protected] .XTBL

Short DescriptionA variant of the Shade/Troldesh ransomware family. This malware uses strong encryption that is employed against user data. The ransomware places a note with instructions containing information about the criminal ransom fee.
SymptomsThe user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution MethodSpam Emails, Email Attachment, Malicious Websites, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] .XTBL


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] – How Does It Infect?

The developers of the Centurion [email protected] ransomware are distributing the malware via different channels – spam email campaigns that employ phishing attacks, malicious web sites containing download links and infected devices such as flash drives and external disks.
One of the popular ways the ransomware infects victims is by forging email headers in phishing emails, these messages pose as legitimate notifications from courier companies like FedEx, DHL and USPS. These counterfeit failed delivery messages contain infected attached files or embedded links to the ransomware executables.

Ransomware of the Shade/Troldesh family is also known to infect documents via the popular Macro functionality. Users are encouraged to enable this feature when opening a malicious file upon which the ransomware executable starts.

[email protected] – Detailed Background

The ransomware affects all current versions of the Microsoft Windows operating system – Windows 7, Windows 8 (8.1) and Windows 10. The ransomware uses the AES cipher utilizing the RSA encryption method which provides a very strong countermeasure to decryption.

Upon execution the malware creates a random named executable file in the %AppData% or %LocalAppData% location. This executable is then started by the ransomware trigger. The malware then begins to scan all connected drives and encrypt the user data. [email protected] affects all commonly used file extensions, including the ones used for documents, audio and video. As with other members of the Shade/Troldesh family the victim files include those with the following extensions:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

The victim data is stored with [email protected] extension. A ransomware note with the name “How to decrypt your files.txt” is placed in each folder with affected file and on the Windows desktop as well. Centurion_Legion also changes the background image with the “How to decrypt your files.png” file that contains the ransom fee demand. Usual sum request ranges from 0.5 to 1.5 Bitcoin. Upon execution of the ransomware, this variant additionally deletes all Shadow Volume Copies that are found on the target machine.

[email protected] Ransomware – Remove It and Try To Restore Your Files

At this moment no public decryptor tool is available for this variant of the Troldesh/Shade family. This type of ransomware uses the strong AES cipher and the RSA encryption technique – the victim needs to utilize the criminal private to restore access to their files. As the key is not posted anywhere on the Internet, there is no way of creating a decryption utility at this time. The AES cipher is one of the strongest ones that is used by various secure applications and services and brute forcing it is unrealistic.

Centurion_Legion upon execution deletes all Shadow Volume Copies available on the local computer to further complicate restoration for the victims. All users are ensured to make external safe copies of all sensitive data to avoid data loss from ransomware such as this one. We suggest that you report all criminal activity to the law enforcement agency in your country.

Manually delete [email protected] .XTBL from your computer

Note! Substantial notification about the [email protected] .XTBL threat: Manual removal of [email protected] .XTBL requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] .XTBL files and objects
2. Find malicious files created by [email protected] .XTBL on your PC
3. Fix registry entries created by [email protected] .XTBL on your PC

Automatically remove [email protected] .XTBL by downloading an advanced anti-malware program

1. Remove [email protected] .XTBL with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] .XTBL in the future
3. Restore files encrypted by [email protected] .XTBL
Optional: Using Alternative Anti-Malware Tools

Editor’s Note:

From time to time, SensorsTechForum features guest articles by cyber security and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share