Virus Remove and Restore .Xtbl Files - How to, Technology and PC Security Forum |
THREAT REMOVAL Virus Remove and Restore .Xtbl Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

shutterstock_240798115Yet another ransomware virus has appeared, belonging to the notorious .XTBL ransomware variants. The malware has been the reason for report that it aims to encrypt the files of affected users. It may use AES encryption to encode the files of the user, RSA cipher to encode the AES decryption key and CBC-mode as a defensive measure. Users who have been infected by ransomware are strongly advise to follow the step-by-step ransom instructions outlined in this article to remove this virus successfully. If you want to restore your files, we also advise attempting to use some of the file restoration methods in this report as well until a decryption becomes publicly available for free.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary Virus
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is Spread?

To infect a high amount of users, the ransomware may be included in a spam campaign that aims to spead phishing e-mails that imitate legitimate companies, like PayPal, banking institutions, etc. Such e-mail messages might have topics that are focused on persuading users that their bank accounts are suspended and others.

The main end goal for cyber-criminals is for users to either click on a malicious URL featured in the body of those e-mails or even an e-mail attachment of files, pretending to be:

  • Microsoft Excel Documents.
  • Microsoft Word Documents.
  • Adobe Reader Files.
  • Archives and photos.

As soon as users click on such links or attachments, the payload may be downloaded via a request from the C&C servers of the cyber-criminals. In Detail

After having infected the user, the virus may drop it’s payload onto several different folders on the infected Windows machine:

→ C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

The virus targets the %Startup% folder very specifically because it allows it to be automatically executed on System Startup. Ransomware is also believed to delete the volume shadow copies of the computers which it infects. This may happen by executing an administrative command, called vssadmin:

→vssadmin delete shadows /all /quiet

When it begins to encrypt user files, crypto malware may look for the most widely used type of files, primarily associated with:

  • Videos.
  • Image files.
  • Audio files.
  • Database files.
  • Files that are associated with programs often used, like Microsoft Office files, for example.

After encryption, the affected files are appended the .XTBL file extension, a unique identification number, and the contact e-mail, similar to other XTBL ransomware variants. An encrypted file by the virus looks like the following:


Remove Ransomware and Restore .XTBL Encrypted Files

To successfully delete this ransomware from your computer, malware researchers strongly advise using instructions like the ones below, since they are arranged methodologically correct and will help you get rid of this virus. In case you are experiencing difficulties and doubts that you will manually remove ransomware, malware researchers advise using an advanced anti-malware program that will automatically scan for and remove the threat.

To restore your files, we advise waiting for a direct decryptor being released in public instead of having to pay ransom money to cyber-criminals to restore your files. We also recommend following this blog since we are going to post an update as soon as decryption is available for free. Do not be tempted to attempt direct file-recovery because the Cipher Block Chaining (CBC) mode in this virus may break your files. In the meantime, you may try some of the alternative methods we suggested in step “3. Restore files encrypted by Virus.”


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share