Remove Okean-1955 Ransomware and Restore .Xtbl Encrypted Files - How to, Technology and PC Security Forum |

Remove Okean-1955 Ransomware and Restore .Xtbl Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

ransomware-on-focus-sensorstechforumRansom virus which contains the e-mail address is believed to be a part of a large ransomware family, known as the Xtbl variants. This is an extremely dangerous ransomware, since, at this point, there is no relevant decrypter for the files encoded by the virus. The ransomware, known as Okean-1955 is also reported to focus primarily on hitting enterprises, mainly SQL Server databases. One infected user has reported at Emsisoft forums to see an infection of an SQL server database and Okean-1955 encoded data of over 10000 customers, 15 branches and three years’ worth of information. Not only this, but the virus destroys backup, according to reports. All users who have had their systems infected with this ransomware virus, are strongly advised not to contact the e-mail address and not to cope with the terms of meeting the deadline of 24 hours given by the crooks. Instead, we strongly advise to read this article below and explore your options regarding removing this Xtbl variant and attempting to restore your files.

Threat Summary

Short DescriptionOkean-1955 encrypts files with a strong cipher and leaves a ransom note asking to contact the cyber-criminals’ e-mail for further payoff instructions in return for the files.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a HOW TO DECRYPT FILES.txt file.
Distribution MethodSpam Emails, Email Attachments, Social Media/td>
Detection Tool See If Your System Has Been Affected by Okean-1955


Malware Removal Tool

User ExperienceJoin our forum to Discuss Okean-1955 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Okean-1955 Ransomware – How Does It Replicate

To be widespread across computers and SQL servers and infect them, Okean-1955 may use advanced techniques to bypass protection. One of those techniques is the obfuscation of malicious executables which can conceal the executable when it has been activated from any real-time shields that may be locally running on the affected machine. In addition to this, Okean-1955 Ransomware may spread via malicious web links as well. Such web links may be legitimate when checked for viruses, but they may cause redirects to malicious links, that may infect users via an Exploit Kit, drive-by downloads as well as malicious JavaScript. E-mails sent out by cyber-criminals may be of a different character, resembling legitimate organizations, for example, this fake e-mail spam pretending to be a person adding you to his Linked In circles:


Okean-1955 Ransomware – More Information

The payload which has been dropped by Okean-1955 may be located in the following key Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %Windows%
  • %System%
  • %System32%
  • %Temp%

The files may be more than one and they are usually of the following types:

.exe, .dll, .tmp, .vbs, .bat, .cmd

Usually, cyber-criminals either give the malicious files random names of A-Z 0-9 symbols or they mask them to resemble a legitimate process of Windows or a program installed on the computer, like “svchost.exe” for example which is a legitimate Windows process and stays in Task Manager at all times.

The Okean-1955 ransomware may also heavily modify the Windows Registry Editor, making it run on system startup and encrypt the files of the compromised compute. Simlar to other XTBL variants, Okean-1955 may seek and encrypt the following file types:


So far it is unknown what type of encryption Okean-1955 specifically uses, but we can say for sure that the XTBL variants include various options for choice of encryption mechanisms to add. With other XTBL ransomware viruses, like Crysis Ransomware, it has been seen that the following mechanisms for encoding data were used:

AES Cipher – Advanced Encryption Standard

It is utilized primarily by the government agencies, such as the NSA, which classify it in the Suite.B category, used to encrypt “eyes only” types of files. The direct decoding by AES ciphered files may take unimaginably long time even if performed by a powerful machine.

RSA Cipher – Rivest-Shamir-Adleman

Encoding by this cipher is very similar in decryption possibility with the AES cipher, and this is why it is in the same category. It uses a unique decryption key and in this particular case, it may have been used to encrypt the actual decryption key, automatically generated for the AES encrypted files.

CBC Mode – Cipher Block Chaining

Here is where the situation becomes critical and serious. Whereas the encryption algorithms simply scramble the files’ code, this mode is like a defensive mechanism against users who try to descramble those files. This “mode” uses the so-called “blocks” of encrypted code and uses Initialization Vector to separate and strengthen those blocks of ciphered code. These combined with a chaining mechanism which breaks the file if you try to decrypt it permanently are the perfect insurance to the cyber-criminals that you will pay the ransom.

Not only this but to create additional mess, Okean-1955, may delete the Shadow Volume Copies of the infected machine by executing the following command via a malicious script with Escalated privileges:

vssadmin delete shadows /for={VOLUME OF THE PC} /all /quiet

After encryption of the files, Okean-1955 adds custom identification symbols, the .okean file extension and of course, the typical .xtbl extension in the end. Here is how an encrypted file looks like:


The ransomware is then reported to leave the following ransom note behind in a HOW TO DECRYPT FILES.txt:

“Все ваши файлы зашифрованы!!!!
для расшифровки обращаться на почту
у вас есть 24 часа. после 24 часов расшифровку сделать сложнее.
All your files are encrypted!!!!
decryption handle mail
you have 24 hours. after 24 hours to make decryption difficult.”

Okean-1955 Ransomware – Conclusion, File Restoration, and Removal

The bottom line is that this is yet another ransomware variant from a very popular ransomware family that has done quite the damage to organizations as well as home users globally. Other viruses like it include the Redshitline Ransomware, Crysis XTBL Ransomware, Ecovector Ransomware, Troldesh Ransomware, DataStorm Ransomware and others. This strongly suggests that to be widespread on this level, this virus must be sold on the underground web markets of the deep web or other places as well. Whatever the case may be, we strongly advise against paying any form of ransom money to cyber-criminals, because you support their organization by making it richer, and a free decrypter may be released sooner than expected.

To remove Okean-1955, we strongly advise you to follow the instructions which we have posted after this article. They are methodologically arranged to contribute to the effective removal process of this crypto-virus.

To try and restore your files, we urge you not to attempt direct decryption and not to use other decryptors, unless researchers provide a working one. Instead, you may want to try and use alternative methods, like the ones mentioned below in step “3. Restore files encrypted by Okean-1955”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share