Virus Remove and Restore .Xtbl Files - How to, Technology and PC Security Forum |

[email protected] Virus Remove and Restore .Xtbl Files

shutterstock_152253701Malware researchers have identified a string associated with the XTBL viruses, dubbing it [email protected] ransomware virus. It uses the .xtbl file extension and similar to other XTBL viruses may use the AES and RSA ciphers to encrypt files of affected users and then ask them to contact a specific e-mail address to restore these files. Since the cyber-criminals behind this virus are interesting in getting users to pay BitCoins as a ransom payoff, malware researchers are currently working on a decryptor for the files that can unlock them for free. For more information on how to remove [email protected] ransomware and how to restore your files, it is strongly advisable to read this article thoroughly.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected] Ransomware
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] – How Does It Replicate

To be successfully in the systems of it’s victims, the ones who are behind [email protected] virus may undertake spam campaigns that may redistribute an exploit kit hidden as a malicious e-mail attachment. The e-mails sent out with the virus may pretend to be legitimate e-mails sent from various institutions, like banks or online retailer stores. They may contain convincing subjects, like “Your account is closed” to get users to download and open such attachments.

In addition to this, the attachments of [email protected] ransomware themselves may also be concealed. Cyber-criminals use exploit kits and malware obfuscators to hide these files from any security software. They may also use file joiners to make the files appear as if they were a legitimate Microsoft Excel, Adobe Reader or other documents, for instance.

[email protected] Ransomware – Detailed Description

After having opened the malicious payload carrying file, it may connect remotely to the cyber-criminals’ command and control server only to download the actual payload without any hic-ups. As soon as it downloads it, the [email protected]
Virus may drop the files in various Windows locations:

  • %Roaming%
  • %SystemDrive%
  • %AppData%
  • %Local%
  • %Temp%

Also, typically to the .XTBL ransomware viruses, the [email protected] Ransomware may drop a ransom note file under .HTML and .hta file formats.

The [email protected] virus also creates copies and shortcuts of those files in the %Startup% folder to make them run everytime Windows boots up:

→C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

When it starts encrypting the files, [email protected] may be very choosy. It looks for most files that are widely used to encode them, making them permanently unopenable. The virus may also be configured to skip specific folders to encrypt, such as:

  • %System Drive%
  • %AppData%
  • %Windows%
  • %Temp%
  • %System32%

The [email protected] may skip those folders for one and only purpose – to avoid crashing Windows OS while encrypting the files.

In addition to this, the [email protected] virus may also delete all the backups of the compromised computer using the powerful vssadmin command in “quiet” mode.

After having encrypted your files, just like many other XTBL ransomware variants out there, the [email protected] virus ads a unique identifier, it’s e-mail address, and the .xtbl file extension to encrypted files, for example:


[email protected] Ransomware – Removal and Restoring .XTBL Files

If you wish to delete this ransomware from your computer, it is advisable not to take it to an expert. They will only overcharge you for something you can do on your own. Instead, we advise you to simply follow the instructions after this article as they are going to help you delete the malicious files associated with [email protected] ransomware. For maximum effectiveness, malware researchers also strongly advise users to download and install an advanced anti-malware program which will surely take care of the threat and protect you in the future as well.

To try and restore your files you may attempt using the methods illustrated in step “3. Restore files encrypted by [email protected]ransomware below. However, we also advise you not to try direct decryption using Kaspersky’s methods because this virus may also have a defensive mechanism, called CBC (cipher block chaining) that may break the files irreversibly if you try to decode them.

Manually delete [email protected] Ransomware from your computer

Note! Substantial notification about the [email protected] Ransomware threat: Manual removal of [email protected] Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] Ransomware files and objects
2.Find malicious files created by [email protected] Ransomware on your PC
3.Fix registry entries created by [email protected] Ransomware on your PC

Automatically remove [email protected] Ransomware by downloading an advanced anti-malware program

1. Remove [email protected] Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] Ransomware in the future
3. Restore files encrypted by [email protected] Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.