Remove Centurion_Legion@aol.com .XTBL Ransomware - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove [email protected] .XTBL Ransomware

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by [email protected] .XTBL and other threats.
Threats such as [email protected] .XTBL may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

shutterstock_152253701One of the many ransomware variants of the Shade/Troldesh family is called [email protected] This is a recently discovered version that has started to plague computer users worldwide. It uses an advanced encryption algorithm to store most user files and folders in a protected form. The criminals then demand a ransom fee to “unlock” access to the compromised data. If you have been affected by this ransomware, we recommend that you follow these instructions to remove the ransomware and restore your files without paying the ransom.

Threat Summary

Name

[email protected] .XTBL

TypeRansomware
Short DescriptionA variant of the Shade/Troldesh ransomware family. This malware uses strong encryption that is employed against user data. The ransomware places a note with instructions containing information about the criminal ransom fee.
SymptomsThe user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution MethodSpam Emails, Email Attachment, Malicious Websites, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] .XTBL

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] – How Does It Infect?

The developers of the Centurion [email protected] ransomware are distributing the malware via different channels – spam email campaigns that employ phishing attacks, malicious web sites containing download links and infected devices such as flash drives and external disks.
One of the popular ways the ransomware infects victims is by forging email headers in phishing emails, these messages pose as legitimate notifications from courier companies like FedEx, DHL and USPS. These counterfeit failed delivery messages contain infected attached files or embedded links to the ransomware executables.

Ransomware of the Shade/Troldesh family is also known to infect documents via the popular Macro functionality. Users are encouraged to enable this feature when opening a malicious file upon which the ransomware executable starts.

[email protected] – Detailed Background

The ransomware affects all current versions of the Microsoft Windows operating system – Windows 7, Windows 8 (8.1) and Windows 10. The ransomware uses the AES cipher utilizing the RSA encryption method which provides a very strong countermeasure to decryption.

Upon execution the malware creates a random named executable file in the %AppData% or %LocalAppData% location. This executable is then started by the ransomware trigger. The malware then begins to scan all connected drives and encrypt the user data. [email protected] affects all commonly used file extensions, including the ones used for documents, audio and video. As with other members of the Shade/Troldesh family the victim files include those with the following extensions:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

The victim data is stored with [email protected] extension. A ransomware note with the name “How to decrypt your files.txt” is placed in each folder with affected file and on the Windows desktop as well. Centurion_Legion also changes the background image with the “How to decrypt your files.png” file that contains the ransom fee demand. Usual sum request ranges from 0.5 to 1.5 Bitcoin. Upon execution of the ransomware, this variant additionally deletes all Shadow Volume Copies that are found on the target machine.

[email protected] Ransomware – Remove It and Try To Restore Your Files

At this moment no public decryptor tool is available for this variant of the Troldesh/Shade family. This type of ransomware uses the strong AES cipher and the RSA encryption technique – the victim needs to utilize the criminal private to restore access to their files. As the key is not posted anywhere on the Internet, there is no way of creating a decryption utility at this time. The AES cipher is one of the strongest ones that is used by various secure applications and services and brute forcing it is unrealistic.

Centurion_Legion upon execution deletes all Shadow Volume Copies available on the local computer to further complicate restoration for the victims. All users are ensured to make external safe copies of all sensitive data to avoid data loss from ransomware such as this one. We suggest that you report all criminal activity to the law enforcement agency in your country.

Note! Your computer system may be affected by [email protected] .XTBL and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as [email protected] .XTBL.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove [email protected] .XTBL follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove [email protected] .XTBL files and objects
2. Find files created by [email protected] .XTBL on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by [email protected] .XTBL

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...