Virus Remove and Restore .Xtbl Files - How to, Technology and PC Security Forum |

[email protected] Virus Remove and Restore .Xtbl Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by [email protected] Virus and other threats.
Threats such as [email protected] Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

shutterstock_240798115Yet another ransomware virus has appeared, belonging to the notorious .XTBL ransomware variants. The malware has been the reason for report that it aims to encrypt the files of affected users. It may use AES encryption to encode the files of the user, RSA cipher to encode the AES decryption key and CBC-mode as a defensive measure. Users who have been infected by [email protected] ransomware are strongly advise to follow the step-by-step ransom instructions outlined in this article to remove this virus successfully. If you want to restore your files, we also advise attempting to use some of the file restoration methods in this report as well until a decryption becomes publicly available for free.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected] Virus
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is [email protected] Spread?

To infect a high amount of users, the [email protected] ransomware may be included in a spam campaign that aims to spead phishing e-mails that imitate legitimate companies, like PayPal, banking institutions, etc. Such e-mail messages might have topics that are focused on persuading users that their bank accounts are suspended and others.

The main end goal for cyber-criminals is for users to either click on a malicious URL featured in the body of those e-mails or even an e-mail attachment of files, pretending to be:

  • Microsoft Excel Documents.
  • Microsoft Word Documents.
  • Adobe Reader Files.
  • Archives and photos.

As soon as users click on such links or attachments, the payload may be downloaded via a request from the C&C servers of the cyber-criminals.

After having infected the user, the [email protected] virus may drop it’s payload onto several different folders on the infected Windows machine:

→ C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

The virus targets the %Startup% folder very specifically because it allows it to be automatically executed on System Startup.

[email protected] Ransomware is also believed to delete the volume shadow copies of the computers which it infects. This may happen by executing an administrative command, called vssadmin:

→vssadmin delete shadows /all /quiet

When it begins to encrypt user files, [email protected] crypto malware may look for the most widely used type of files, primarily associated with:

  • Videos.
  • Image files.
  • Audio files.
  • Database files.
  • Files that are associated with programs often used, like Microsoft Office files, for example.

After encryption, the affected files are appended the .XTBL file extension, a unique identification number, and the contact e-mail, similar to other XTBL ransomware variants. An encrypted file by the [email protected] virus looks like the following:


Remove [email protected] Ransomware and Restore .XTBL Encrypted Files

To successfully delete this ransomware from your computer, malware researchers strongly advise using instructions like the ones below, since they are arranged methodologically correct and will help you get rid of this virus. In case you are experiencing difficulties and doubts that you will manually remove [email protected] ransomware, malware researchers advise using an advanced anti-malware program that will automatically scan for and remove the [email protected] threat.

To restore your files, we advise waiting for a direct decryptor being released in public instead of having to pay ransom money to cyber-criminals to restore your files. We also recommend following this blog since we are going to post an update as soon as decryption is available for free. Do not be tempted to attempt direct file-recovery because the Cipher Block Chaining (CBC) mode in this virus may break your files. In the meantime, you may try some of the alternative methods we suggested in step “3. Restore files encrypted by [email protected] Virus.”

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share