Virus Remove and Decrypt .XTBL Files - How to, Technology and PC Security Forum |

[email protected] Virus Remove and Decrypt .XTBL Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by [email protected] and other threats.
Threats such as [email protected] may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

1Another ransomware virus belonging to the CrySiS (.XTBL) ransomware variants has been reported to encrypt user files by ESG malware researchers. The ransomware virus creates a malicious executable in the %SystemDrive% folder of Windows which is then used to encrypt a wide variety of file types on computers that have become victims of the ransomware. The [email protected] malware may then leave a ransom note which may notify users that they should either contact the e-mail address or make a ransom payoff in return for their files.

N.B: Decryptor has been released for the Shade(XTBL) ransomware variants. For more information and detailed instructions on how to decrypt your files, please check this article.

Threat Summary


[email protected]

Short DescriptionPart of the “@” ransomware variants. Encrypts the files on the infected computer then asks for ransom money in email correspondences.
SymptomsThe user may witness his files to become corrupt with the questionable email and .xtbl as file extensions that are added.
Distribution MethodVia Exploit kits or downloader Trojans.
Detection Tool See If Your System Has Been Affected by [email protected]


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Ransomware – Distribution and Infection Methods

For it to be a successful investment, the cyber-criminals who control the [email protected] virus may focus on spreading the virus as a legitimate document on e-mail attachments. In addition to this, the [email protected] virus’s malicious payload attachment may also come in an obfuscated form in order to run successfully under the noses of any security software that may be installed on the victim’s computer.

Furthermore, the topics of the e-mails that have been sent by the cyber-criminals may vary, and they may resemble messages coming from legitimate organizations, like well-known online retailers, banks and other institutions the user may have accounts in.

[email protected] Virus – More Information About It

Once it has run on the victim’s computer, the [email protected] ransomware virus may drop the following file:


After this is done the [email protected] virus may delete the volume shadow copies of the compromised machine via a batch command in administrative mode. The command is the following:

vssadmin delete shadows /for={Drive volume} /all /quiet

In addition to this, [email protected] Ransomware may also cause several different issues on the enciphered computer, like restart it and modify the Windows Registry Editor so that the computer runs automatically every time Windows starts. The targeted registry keys for that are the following:

HKEY_LOCAL_MACHINE \Software \Microsoft\Windows\ CurrentVersion\ Run
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion\ Run
HKEY_LOCAL_MACHINE \Software \Microsoft\Windows \CurrentVersion \RunOnce
HKEY_CURRENT_USER \Software \Microsoft\Windows \CurrentVersion \RunOnce

The other method which the [email protected] virus may perform to make it’s malicious files run on system startup is dropped a shortcut or copies of the files it may run directly in the Windows startup folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

After it’s malicious executable file has been ran, the Siddhiup2 ransomware virus begins to scan for and encrypt a wide variety of file types:

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps Source: ESG

To encrypt user files, the [email protected] ransomware virus may use a strong AES encryption algorithm. The AES enciphering code that has been used by it produces a decryption key after the encoding process itself has been complete. This key may be encrypted via an RSA encryption, generating a private key that is then sent to the cyber-criminals, making them the only one in power to decipher these files.

Related Article: Ransomware Encryption Explained: Why Is It So Effective?

The files that have been encrypted by [email protected] may look like the following:

[email protected] and Decrypt .Xtbl Encrypted Files

To remove this, virus, it is strongly advisable to use an advanced anti-malware program since it will make sure to identify all of the objects that are associated with the [email protected] threat. Another way to do this is if you follow the step-by-step removal instructions which we have posted below. They will make sure that you will remove the [email protected] permanently from your computer and protect your data from any threats of this and other types in the future as well.

To learn how to decrypt your files, please check step “3. Restore files encrypted by [email protected] below.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share