Remove Ransomware and Restore .XTBL / .CrySiS Files - How to, Technology and PC Security Forum |

Remove [email protected] Ransomware and Restore .XTBL / .CrySiS Files

help-removal-sensorstechforumRansomware virus associated with the e-mail address [email protected] has been spotted out in the wild. Researchers have identified this virus to have associations with the XTBL and CrySiS ransomware variants. This automatically points out that [email protected] Ransomware may use AES and RSA encryption which is very strong military grade to encipher files. The enciphered files by this virus can no longer be opened by any software and malware experts do not advise tampering with them. Paying ransom money to the cyber-criminals associated with this virus is not advisable as well. Instead what you can do is familiarize yourself with this virus and learn how to remove it and alternative methods to recover your data as well.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected]
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected]


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – How Does This Virus Infect?

To infect users, the [email protected] Ransomware may use several different methods. It may be spread via malicious web links posted online as comments on forums, social media spam and on other online locations. It may also exist as a malicious e-mail attachment on your computer. Such e-mail attachments may often be focused on fooling users to open them by masking themselves as legitimate Microsoft Office or Adobe Reader documents. Not only this, but the e-mails may also be of a convincing character, like:

  • “Your PayPal Receipt.”
  • “Your Bank Account Has Been Cancelled.”
  • “Your purchase has been confirmed.”

Users are often advised always to check their e-mails and any content downloaded from those e-mails. URL’s and files may be even checked before you download them by having a security extension on your web browser, like VirusTotal’s extension, for example.

[email protected] Virus – What Does It Do?

As soon as the [email protected] threat is on your computer, it may begin to change different settings on it, so that when it runs it’s encryption it is interrupted. For example, it may modify several Windows settings gaining it Read and Write permissions to execute commands like deleting your Volume Shadow Copies. This is done with the following administrative command:

→ vssadmin delete shadows /all /quiet

This is like insurance to the cyber-criminals because they remove the possibility of their victims restoring the files via System Backup.

Since there are many variants of the XTBL ransomware, malware researchers believe that this virus is sold directly as a kit on the deep web forums. This is also known as RaaS or ransomware-as-a-service. It may include different modifications, making each variant of the virus to be fully customizable by the ones behind it, changing extensions, encryption, ransom note and other details

This specific variant may drop malicious files or their shortcuts in the Startup folder of Windows to run them automatically on system boot up. Here are the files reported by researchers:

→C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.hta
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.html
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

As visible from the information above, besides the malicious file that encrypts data, the ransomware also has decryption instructions files that may have different names and may contain it’s so-called ransom note. This note usually aims to scare off infected users into paying the ransom amount. Bear in mind, however, that you should not pay any ransom to cyber-crooks because this is no guarantee you will get your files back and more to it, you support their criminal activities by doing so.

Regarding file encryption, [email protected] could be configured to hunt for different files than the other XTBL ransomware variants. Most ransomware viruses usually look for and encrypt files of the following types:


The encrypted files are appended either the .xtbl file extension or the .CrySiS one, but they may also contain other extension and information as well. Typically most XTBL ransomware variants contain a unique identification number by which the cyber-criminals can identify a decryption key and decode the files after the ransom is paid. They may also contain the email [email protected], for example:


[email protected] Virus – Remove and Restore .XTBL Files

To fully erase all files and objects associated with [email protected] Ransomware from your computer, it is strongly advisable to follow the instructions which we have posted below. They are arranged so that if you do not succeed in manually deleting this virus, and it’s files still appear, you can try using an advanced anti-malware program to erase it. Using such software is also highly recommended because it may protect you in the future as well.

In case you are looking for several alternative methods to revert your files back to working state, malware researchers recommend that you attempt the methods from step “3. Restore files encrypted by [email protected] Ransomware” below. However, it is also advisable to stay away from Kaspersky’s decryptors because this ransomware may have file protection of it’s own and may break your files if you try to decrypt them. You may make copies of the files if you try direct decryption, however, which is the better option in this situation.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share