Malware researchers have identified a string associated with the XTBL viruses, dubbing it [email protected] ransomware virus. It uses the .xtbl file extension and similar to other XTBL viruses may use the AES and RSA ciphers to encrypt files of affected users and then ask them to contact a specific e-mail address to restore these files. Since the cyber-criminals behind this virus are interesting in getting users to pay BitCoins as a ransom payoff, malware researchers are currently working on a decryptor for the files that can unlock them for free. For more information on how to remove [email protected] ransomware and how to restore your files, it is strongly advisable to read this article thoroughly.
|Name||[email protected] Ransomware|
|Short Description||A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.|
|Symptoms||After encryption the ransomware may steal information and appends .xtbl extension after every file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by [email protected] Ransomware |
Malware Removal Tool
|User Experience||Join our forum to Discuss [email protected] Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
[email protected] – How Does It Replicate
To be successfully in the systems of it’s victims, the ones who are behind [email protected] virus may undertake spam campaigns that may redistribute an exploit kit hidden as a malicious e-mail attachment. The e-mails sent out with the virus may pretend to be legitimate e-mails sent from various institutions, like banks or online retailer stores. They may contain convincing subjects, like “Your account is closed” to get users to download and open such attachments.
In addition to this, the attachments of [email protected] ransomware themselves may also be concealed. Cyber-criminals use exploit kits and malware obfuscators to hide these files from any security software. They may also use file joiners to make the files appear as if they were a legitimate Microsoft Excel, Adobe Reader or other documents, for instance.
[email protected] Ransomware – Detailed Description
After having opened the malicious payload carrying file, it may connect remotely to the cyber-criminals’ command and control server only to download the actual payload without any hic-ups. As soon as it downloads it, the [email protected]
Virus may drop the files in various Windows locations:
Also, typically to the .XTBL ransomware viruses, the [email protected] Ransomware may drop a ransom note file under .HTML and .hta file formats.
The [email protected] virus also creates copies and shortcuts of those files in the %Startup% folder to make them run everytime Windows boots up:
When it starts encrypting the files, [email protected] may be very choosy. It looks for most files that are widely used to encode them, making them permanently unopenable. The virus may also be configured to skip specific folders to encrypt, such as:
- %System Drive%
The [email protected] may skip those folders for one and only purpose – to avoid crashing Windows OS while encrypting the files.
In addition to this, the [email protected] virus may also delete all the backups of the compromised computer using the powerful vssadmin command in “quiet” mode.
After having encrypted your files, just like many other XTBL ransomware variants out there, the [email protected] virus ads a unique identifier, it’s e-mail address, and the .xtbl file extension to encrypted files, for example:
[email protected] Ransomware – Removal and Restoring .XTBL Files
If you wish to delete this ransomware from your computer, it is advisable not to take it to an expert. They will only overcharge you for something you can do on your own. Instead, we advise you to simply follow the instructions after this article as they are going to help you delete the malicious files associated with [email protected] ransomware. For maximum effectiveness, malware researchers also strongly advise users to download and install an advanced anti-malware program which will surely take care of the threat and protect you in the future as well.
To try and restore your files you may attempt using the methods illustrated in step “3. Restore files encrypted by [email protected]” ransomware below. However, we also advise you not to try direct decryption using Kaspersky’s methods because this virus may also have a defensive mechanism, called CBC (cipher block chaining) that may break the files irreversibly if you try to decode them.