Virus Remove and Decrypt .XTBL Files - How to, Technology and PC Security Forum |
THREAT REMOVAL Virus Remove and Decrypt .XTBL Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

1Another ransomware virus belonging to the CrySiS (.XTBL) ransomware variants has been reported to encrypt user files by ESG malware researchers. The ransomware virus creates a malicious executable in the %SystemDrive% folder of Windows which is then used to encrypt a wide variety of file types on computers that have become victims of the ransomware. The malware may then leave a ransom note which may notify users that they should either contact the e-mail address or make a ransom payoff in return for their files.

N.B: Decryptor has been released for the Shade(XTBL) ransomware variants. For more information and detailed instructions on how to decrypt your files, please check this article.

Threat Summary


Short DescriptionPart of the “@” ransomware variants. Encrypts the files on the infected computer then asks for ransom money in email correspondences.
SymptomsThe user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution MethodVia Exploit kits or downloader Trojans.
Detection Tool See If Your System Has Been Affected by


Malware Removal Tool

User ExperienceJoin our forum to Discuss Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. Ransomware – Distribution and Infection Methods

For it to be a successful investment, the cyber-criminals who control the virus may focus on spreading the virus as a legitimate document on e-mail attachments. In addition to this, the virus’s malicious payload attachment may also come in an obfuscated form in order to run successfully under the noses of any security software that may be installed on the victim’s computer.

Furthermore, the topics of the e-mails that have been sent by the cyber-criminals may vary, and they may resemble messages coming from legitimate organizations, like well-known online retailers, banks and other institutions the user may have accounts in. Virus – More Information About It

Once it has run on the victim’s computer, the ransomware virus may drop the following file:


After this is done the virus may delete the volume shadow copies of the compromised machine via a batch command in administrative mode. The command is the following:

vssadmin delete shadows /for={Drive volume} /all /quiet

In addition to this, Ransomware may also cause several different issues on the enciphered computer, like restart it and modify the Windows Registry Editor so that the computer runs automatically every time Windows starts. The targeted registry keys for that are the following:

HKEY_LOCAL_MACHINE \Software \Microsoft\Windows\ CurrentVersion\ Run
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion\ Run
HKEY_LOCAL_MACHINE \Software \Microsoft\Windows \CurrentVersion \RunOnce
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion \RunOnce

The other method which the virus may perform to make it’s malicious files run on system startup is dropped a shortcut or copies of the files it may run directly in the Windows startup folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

After it’s malicious executable file has been ran, the Siddhiup2 ransomware virus begins to scan for and encrypt a wide variety of file types:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps Source: ESG

To encrypt user files, the ransomware virus may use a strong AES encryption algorithm. The AES enciphering code that has been used by it produces a decryption key after the encoding process itself has been complete. This key may be encrypted via an RSA encryption, generating a private key that is then sent to the cyber-criminals, making them the only one in power to decipher these files.

Related Article: Ransomware Encryption Explained: Why Is It So Effective?

The files that have been encrypted by may look like the following: and Decrypt .Xtbl Encrypted Files

To remove this, virus, it is strongly advisable to use an advanced anti-malware program since it will make sure to identify all of the objects that are associated with the threat. Another way to do this is if you follow the step-by-step removal instructions which we have posted below. They will make sure that you will remove the permanently from your computer and protect your data from any threats of this and other types in the future as well.

To learn how to decrypt your files, please check step “3. Restore files encrypted by” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share