Remove .XTBL Ransomware - How to, Technology and PC Security Forum |

Remove .XTBL Ransomware

shutterstock_152253701One of the many ransomware variants of the Shade/Troldesh family is called This is a recently discovered version that has started to plague computer users worldwide. It uses an advanced encryption algorithm to store most user files and folders in a protected form. The criminals then demand a ransom fee to “unlock” access to the compromised data. If you have been affected by this ransomware, we recommend that you follow these instructions to remove the ransomware and restore your files without paying the ransom.

Threat Summary

Name .XTBL

Short DescriptionA variant of the Shade/Troldesh ransomware family. This malware uses strong encryption that is employed against user data. The ransomware places a note with instructions containing information about the criminal ransom fee.
SymptomsThe user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution MethodSpam Emails, Email Attachment, Malicious Websites, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by .XTBL


Malware Removal Tool

User ExperienceJoin our forum to Discuss Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. – How Does It Infect?

The developers of the Centurion ransomware are distributing the malware via different channels – spam email campaigns that employ phishing attacks, malicious web sites containing download links and infected devices such as flash drives and external disks.
One of the popular ways the ransomware infects victims is by forging email headers in phishing emails, these messages pose as legitimate notifications from courier companies like FedEx, DHL and USPS. These counterfeit failed delivery messages contain infected attached files or embedded links to the ransomware executables.

Ransomware of the Shade/Troldesh family is also known to infect documents via the popular Macro functionality. Users are encouraged to enable this feature when opening a malicious file upon which the ransomware executable starts. – Detailed Background

The ransomware affects all current versions of the Microsoft Windows operating system – Windows 7, Windows 8 (8.1) and Windows 10. The ransomware uses the AES cipher utilizing the RSA encryption method which provides a very strong countermeasure to decryption.

Upon execution the malware creates a random named executable file in the %AppData% or %LocalAppData% location. This executable is then started by the ransomware trigger. The malware then begins to scan all connected drives and encrypt the user data. affects all commonly used file extensions, including the ones used for documents, audio and video. As with other members of the Shade/Troldesh family the victim files include those with the following extensions:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

The victim data is stored with extension. A ransomware note with the name “How to decrypt your files.txt” is placed in each folder with affected file and on the Windows desktop as well. Centurion_Legion also changes the background image with the “How to decrypt your files.png” file that contains the ransom fee demand. Usual sum request ranges from 0.5 to 1.5 Bitcoin. Upon execution of the ransomware, this variant additionally deletes all Shadow Volume Copies that are found on the target machine. Ransomware – Remove It and Try To Restore Your Files

At this moment no public decryptor tool is available for this variant of the Troldesh/Shade family. This type of ransomware uses the strong AES cipher and the RSA encryption technique – the victim needs to utilize the criminal private to restore access to their files. As the key is not posted anywhere on the Internet, there is no way of creating a decryption utility at this time. The AES cipher is one of the strongest ones that is used by various secure applications and services and brute forcing it is unrealistic.

Centurion_Legion upon execution deletes all Shadow Volume Copies available on the local computer to further complicate restoration for the victims. All users are ensured to make external safe copies of all sensitive data to avoid data loss from ransomware such as this one. We suggest that you report all criminal activity to the law enforcement agency in your country.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share