One of the many ransomware variants of the Shade/Troldesh family is called [email protected] This is a recently discovered version that has started to plague computer users worldwide. It uses an advanced encryption algorithm to store most user files and folders in a protected form. The criminals then demand a ransom fee to “unlock” access to the compromised data. If you have been affected by this ransomware, we recommend that you follow these instructions to remove the ransomware and restore your files without paying the ransom.
[email protected] .XTBL
|Short Description||A variant of the Shade/Troldesh ransomware family. This malware uses strong encryption that is employed against user data. The ransomware places a note with instructions containing information about the criminal ransom fee.|
|Symptoms||The user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.|
|Distribution Method||Spam Emails, Email Attachment, Malicious Websites, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by [email protected] .XTBL |
Malware Removal Tool
|User Experience||Join our forum to Discuss [email protected] Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] – How Does It Infect?
The developers of the Centurion [email protected] ransomware are distributing the malware via different channels – spam email campaigns that employ phishing attacks, malicious web sites containing download links and infected devices such as flash drives and external disks.
One of the popular ways the ransomware infects victims is by forging email headers in phishing emails, these messages pose as legitimate notifications from courier companies like FedEx, DHL and USPS. These counterfeit failed delivery messages contain infected attached files or embedded links to the ransomware executables.
Ransomware of the Shade/Troldesh family is also known to infect documents via the popular Macro functionality. Users are encouraged to enable this feature when opening a malicious file upon which the ransomware executable starts.
[email protected] – Detailed Background
The ransomware affects all current versions of the Microsoft Windows operating system – Windows 7, Windows 8 (8.1) and Windows 10. The ransomware uses the AES cipher utilizing the RSA encryption method which provides a very strong countermeasure to decryption.
Upon execution the malware creates a random named executable file in the %AppData% or %LocalAppData% location. This executable is then started by the ransomware trigger. The malware then begins to scan all connected drives and encrypt the user data. [email protected] affects all commonly used file extensions, including the ones used for documents, audio and video. As with other members of the Shade/Troldesh family the victim files include those with the following extensions:
→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
The victim data is stored with [email protected] extension. A ransomware note with the name “How to decrypt your files.txt” is placed in each folder with affected file and on the Windows desktop as well. Centurion_Legion also changes the background image with the “How to decrypt your files.png” file that contains the ransom fee demand. Usual sum request ranges from 0.5 to 1.5 Bitcoin. Upon execution of the ransomware, this variant additionally deletes all Shadow Volume Copies that are found on the target machine.
[email protected] Ransomware – Remove It and Try To Restore Your Files
At this moment no public decryptor tool is available for this variant of the Troldesh/Shade family. This type of ransomware uses the strong AES cipher and the RSA encryption technique – the victim needs to utilize the criminal private to restore access to their files. As the key is not posted anywhere on the Internet, there is no way of creating a decryption utility at this time. The AES cipher is one of the strongest ones that is used by various secure applications and services and brute forcing it is unrealistic.
Centurion_Legion upon execution deletes all Shadow Volume Copies available on the local computer to further complicate restoration for the victims. All users are ensured to make external safe copies of all sensitive data to avoid data loss from ransomware such as this one. We suggest that you report all criminal activity to the law enforcement agency in your country.