Remove Crysis XTBL Ransomware and Restore .xtbl Encrypted Files - How to, Technology and PC Security Forum |

Remove Crysis XTBL Ransomware and Restore .xtbl Encrypted Files

crysis-ransomware-sensorstechforum-mainThe family of Crysis ransomware viruses is able to encode files on different drives as well as external devices. The virus uses an extremely powerful combination of three ciphers to encrypt data – AES, RSA key to lock the AES decryption code and something, known as CBC mode which is explained in detail below. The ransomware adds the e-mail on which users can contact the cyber-criminals to conduct the payoff. This Crysis virus is known to have at least 4 variants, driving us to believe that it may be a part of a RaaS (Ransomware-as-a-service) scheme.

Threat Summary

Short DescriptionThe ransomware encrypts files with the AES, RSA and CBC-mode mechanisms and requests the sum of around 400 to 900 euros from the user to grant access back to the files.
SymptomsAfter encryption the ransomware steals login passwords and adds the .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Crysis


Malware Removal Tool

User ExperienceJoin our forum to Discuss Guardware Ransomware.

How Is Crysis Distributed Over The Web

To be successfully widespread, Crysis Ransomware variants use spam e-mail campaigns that directly contain malicious files, with masked file extensions. The files may be pretending to be Microsoft Office (Word, Excel, Power Point) documents, PDF files, setups of different programs or other legitimate records. In addition to that, they may be archived in a .RAR or .ZIP file extension to avoid detection by the protection of the e-mail service providers. Examples of how malicious files by Crysis may look like is the following:

  • Confirmation Letter.docx.exe file with a Microsoft Word Icon
  • Invoice.pdf.exe with an Adobe Reader Icon on it.

Crysis XTBL Ransomware In Detail

This family of ransomware is reported to have several versions and variants. They can be identified by the method for file decryption, more specifically that there are 5 different names of the encoded XTBL files:

  • {cyber-criminal`s email}.ext
  • {UNIQUE ID}.{cyber-criminal`s email}.ext
  • {UNIQUE ID}.{cyber-criminal`s email}.xtbl
  • {cyber-criminal`s email}.xtbl

After the malicious files by Crysis have been executed, it looks for around 190 types of files on the compromised computer and encrypts them. The most affected files by the ransomware are believed by researchers to contain the following file extensions:


Not only this, but Crysis also looks for removable drives, such as USB, Memory Cards, external HDD`s, external SSDs and others.

To encrypt the files, Crysis uses three types of ciphers:

AES-256 (Advanced Encryption Standard)
This encryption algorithm is used to directly encrypt the files and is classified as a Suite.B encryption, and it is used by the NSA to encrypt some secret files. Its direct decryption may take years even If tried by a very powerful machine.

This encryption mechanism has relatively the same strength as the AES, depending on how many bits it is. It may be used to encrypt the private decryption key generated after encrypting all the files with the AES encryption.

CBC (Cipher Block Chaining)-mode
This mode of encoding is particularly effective when used in combination with AES encryption. It is the main reason why this ransomware is so dangerous for direct decryption. It uses modes, known as Initialization Vector (IV) and a chaining mechanism to additionally scramble the cipher text, separating it in blocks which have a specific order. This mechanism is like a fail-safe to the cyber-criminals. When the user tries to directly decrypt the files and somehow rearranges these blocks, the files becomes corrupted and permanently non-decryptable.

After decryption, the Crysis ransomware virus also deletes the shadow volume copies and other backups of the infected computer. This can be done by executing the following command in Windows:

→ vssadmin delete shadows /for={VOLUME OF THE PC} /all /quiet

After this has been done, the virus connects to the server of the Cyber-Criminals and sends the name if the infected computer as well as several infected files. In several Windows versions, it also attempts to start as an administrator and continues to increase its list of encrypted files.

In addition to that, Crysis comes with an info stealer, which collects sensitive information from the infected computer:

  • Messenger logs.
  • Passwords.
  • Information on different software that is installed and other program data.
  • Web camera logs and information.

All of the information collected is naturally sent to the address of the cyber-criminals, and after encryption is complete, the ransomware creates these two files on the already infected computer:

  • How to decrypt your files.txt
  • DECRYPT.jpg

Both the files contain different ransom instructions. The wallpapers set has been reported by researchers few of the variants to be the following:

Regarding decryption fee, Crysis variants wants users to send from around 400 to 900 euros. The cyber criminals provide instructions on how to send the money by converting it to BitCoins. The e-mail addresses associated with this ransomware were reported by to be the following:

Some of the e-mails are met with other Ransomware variats, like Redshitline and EcoVector ransomware variants.

Crysis XTBL Ransomware – Conclusion, Removal, and File Restoration Alternatives

In brief, this ransomware is one of the most serious viruses we have seen so far, especially because of the Cipher Block Chaining mode being used, which makes decryption of files very very risky. The ransomware’s spread is reported to be very high, which means that users should install an advanced anti-malware program that will protect them and their files against Crysis.

To remove Crysis effectively, we advise you to use an advanced anti-malware program. Of course you may try manual removal, but the automatic solution is the best since Crysis has many variants and they may have different files and registry keys created on the infected computer.

Since direct decryption is impossible at this point, users may try other methods to restore the files, which safely enough go around direct decryption. Such methods may be found in step “3. Restore Files Encrypted by Crysis” below. Be advised that if you are willing to invest the time and money in these alternative methods, you do not get a 100% guarantee that these methods will work. But they are the best alternative solution there is so far.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share