Virus Remove and Restore .Xtbl Files - How to, Technology and PC Security Forum |

[email protected] Virus Remove and Restore .Xtbl Files

shutterstock_152253701Malware researchers have identified a string associated with the XTBL viruses, dubbing it [email protected] ransomware virus. It uses the .xtbl file extension and similar to other XTBL viruses may use the AES and RSA ciphers to encrypt files of affected users and then ask them to contact a specific e-mail address to restore these files. Since the cyber-criminals behind this virus are interesting in getting users to pay BitCoins as a ransom payoff, malware researchers are currently working on a decryptor for the files that can unlock them for free. For more information on how to remove [email protected] ransomware and how to restore your files, it is strongly advisable to read this article thoroughly.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected] Ransomware
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] – How Does It Replicate

To be successfully in the systems of it’s victims, the ones who are behind [email protected] virus may undertake spam campaigns that may redistribute an exploit kit hidden as a malicious e-mail attachment. The e-mails sent out with the virus may pretend to be legitimate e-mails sent from various institutions, like banks or online retailer stores. They may contain convincing subjects, like “Your account is closed” to get users to download and open such attachments.

In addition to this, the attachments of [email protected] ransomware themselves may also be concealed. Cyber-criminals use exploit kits and malware obfuscators to hide these files from any security software. They may also use file joiners to make the files appear as if they were a legitimate Microsoft Excel, Adobe Reader or other documents, for instance.

[email protected] Ransomware – Detailed Description

After having opened the malicious payload carrying file, it may connect remotely to the cyber-criminals’ command and control server only to download the actual payload without any hic-ups. As soon as it downloads it, the [email protected]
Virus may drop the files in various Windows locations:

  • %Roaming%
  • %SystemDrive%
  • %AppData%
  • %Local%
  • %Temp%

Also, typically to the .XTBL ransomware viruses, the [email protected] Ransomware may drop a ransom note file under .HTML and .hta file formats.

The [email protected] virus also creates copies and shortcuts of those files in the %Startup% folder to make them run everytime Windows boots up:

→C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

When it starts encrypting the files, [email protected] may be very choosy. It looks for most files that are widely used to encode them, making them permanently unopenable. The virus may also be configured to skip specific folders to encrypt, such as:

  • %System Drive%
  • %AppData%
  • %Windows%
  • %Temp%
  • %System32%

The [email protected] may skip those folders for one and only purpose – to avoid crashing Windows OS while encrypting the files.

In addition to this, the [email protected] virus may also delete all the backups of the compromised computer using the powerful vssadmin command in “quiet” mode.

After having encrypted your files, just like many other XTBL ransomware variants out there, the [email protected] virus ads a unique identifier, it’s e-mail address, and the .xtbl file extension to encrypted files, for example:


[email protected] Ransomware – Removal and Restoring .XTBL Files

If you wish to delete this ransomware from your computer, it is advisable not to take it to an expert. They will only overcharge you for something you can do on your own. Instead, we advise you to simply follow the instructions after this article as they are going to help you delete the malicious files associated with [email protected] ransomware. For maximum effectiveness, malware researchers also strongly advise users to download and install an advanced anti-malware program which will surely take care of the threat and protect you in the future as well.

To try and restore your files you may attempt using the methods illustrated in step “3. Restore files encrypted by [email protected]ransomware below. However, we also advise you not to try direct decryption using Kaspersky’s methods because this virus may also have a defensive mechanism, called CBC (cipher block chaining) that may break the files irreversibly if you try to decode them.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share