|Short Description||Encrypts important user data and demands ransom in return.|
|Symptoms||The user may have his files encrypted without his consent and may see a ransom note with instructions on how to pay for them.|
|Distribution Method||Malicious Links Spam Mail|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Trojan.Ransomcrypt.T|
|User Experience||Join our forum to follow the discussion about Trojan.Ransomcrypt.T.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Trojan.Ransomcrypt.T appears to be the most dangerous out of all the Ransomcrypt variants infecting PCs everywhere. Security researchers strongly advise users to look for any .xtbl extensions on their files and in case they detect them to try and remove the threat. One way to do this is to follow the step-by-step instructions after this article and check the hotlinks for suggested methods for decrypting the encrypted files. Experts strongly advise against complying with the ransom demands of the cyber crooks.
Trojan.Ransomcrypt.T – How Did I Get Infected?
One way to become a victim of this malicious threat is by opening spam mail that may contain ‘Open this.’ type of infected files. Some spam mails may resemble reputable services such as the Windows 10 Upgrade e-mail and most users with little or no experience with spam mail may fall for it. Some emails have even fooled experienced users this is why email software with spam filters is always recommended.
Trojan.Ransomcrypt.T In Detail
Symantec researchers have established that the .T variant is more sophisticated than the main one. Once the malicious file has been executed on the user PC, the Trojan then creates these objects:
It also tampers with the registry editor, creating the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Client Server Runtime Subsystem” = “%Windir%\csrss.exe”
It aims to make the file “csrss.exe” run on system startup.
After modifying several user settings, the trojan horse then opens up an active connection to these reported http locations:
After this is done, the trojan then begins scanning for files on external memory carries like removable drives and remote drives. It also scans fixed drives used by the PC. This trojan supports a huge database of file formats it encrypts:
→.3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip
After scanning this huge variety of files the trojan variant then encrypts them with a .xtbl extension. An encrypted file may look similar to this one:
→New Word Document.docx.xtbl
And Windows displays a notification message that the file is corrupt upon opening it.
After encrypting the files, this ransomware virus then leaves the following files in the folders of the encrypted files
The Trojan then drops the following file in each folder that has encrypted files like this example:
After doing so, the next step of the trojan is to change the desktop wallpaper to a picture containing demands that ask the user to open the readme text with the random number above for more information. The readme text contains the following message in Russian and English:
“ATTENTION! All the important files on your disks were encrypted. The details can be found in the README.txt files which you can locate on any of your disks.”
In order to remove this variant, please use advanced anti malware and follow the instructions below in order to boot into safe mode. In case you wish to try and decrypt your data, you can check the suggested links here.
Methods for decryption:
Scan and remove ransomware via a live OS: