Another ransomware virus belonging to the CrySiS (.XTBL) ransomware variants has been reported to encrypt user files by ESG malware researchers. The ransomware virus creates a malicious executable in the %SystemDrive% folder of Windows which is then used to encrypt a wide variety of file types on computers that have become victims of the ransomware. The [email protected] malware may then leave a ransom note which may notify users that they should either contact the e-mail address or make a ransom payoff in return for their files.
|Short Description||Part of the “@” ransomware variants. Encrypts the files on the infected computer then asks for ransom money in email correspondences.|
|Symptoms||The user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.|
|Distribution Method||Via Exploit kits or downloader Trojans.|
|Detection Tool|| See If Your System Has Been Affected by [email protected] |
Malware Removal Tool
|User Experience||Join our forum to Discuss [email protected] Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] Ransomware – Distribution and Infection Methods
For it to be a successful investment, the cyber-criminals who control the [email protected] virus may focus on spreading the virus as a legitimate document on e-mail attachments. In addition to this, the [email protected] virus’s malicious payload attachment may also come in an obfuscated form in order to run successfully under the noses of any security software that may be installed on the victim’s computer.
Furthermore, the topics of the e-mails that have been sent by the cyber-criminals may vary, and they may resemble messages coming from legitimate organizations, like well-known online retailers, banks and other institutions the user may have accounts in.
[email protected] Virus – More Information About It
Once it has run on the victim’s computer, the [email protected] ransomware virus may drop the following file:
After this is done the [email protected] virus may delete the volume shadow copies of the compromised machine via a batch command in administrative mode. The command is the following:
In addition to this, [email protected] Ransomware may also cause several different issues on the enciphered computer, like restart it and modify the Windows Registry Editor so that the computer runs automatically every time Windows starts. The targeted registry keys for that are the following:
The other method which the [email protected] virus may perform to make it’s malicious files run on system startup is dropped a shortcut or copies of the files it may run directly in the Windows startup folder:
After it’s malicious executable file has been ran, the Siddhiup2 ransomware virus begins to scan for and encrypt a wide variety of file types:
To encrypt user files, the [email protected] ransomware virus may use a strong AES encryption algorithm. The AES enciphering code that has been used by it produces a decryption key after the encoding process itself has been complete. This key may be encrypted via an RSA encryption, generating a private key that is then sent to the cyber-criminals, making them the only one in power to decipher these files.
Related Article: Ransomware Encryption Explained: Why Is It So Effective?
The files that have been encrypted by [email protected] may look like the following:
[email protected] and Decrypt .Xtbl Encrypted Files
To remove this, virus, it is strongly advisable to use an advanced anti-malware program since it will make sure to identify all of the objects that are associated with the [email protected] threat. Another way to do this is if you follow the step-by-step removal instructions which we have posted below. They will make sure that you will remove the [email protected] permanently from your computer and protect your data from any threats of this and other types in the future as well.
To learn how to decrypt your files, please check step “3. Restore files encrypted by [email protected]” below.