[email protected] Virus Remove and Restore .Xtbl Files

shutterstock_240798115Yet another ransomware virus has appeared, belonging to the notorious .XTBL ransomware variants. The malware has been the reason for report that it aims to encrypt the files of affected users. It may use AES encryption to encode the files of the user, RSA cipher to encode the AES decryption key and CBC-mode as a defensive measure. Users who have been infected by [email protected] ransomware are strongly advise to follow the step-by-step ransom instructions outlined in this article to remove this virus successfully. If you want to restore your files, we also advise attempting to use some of the file restoration methods in this report as well until a decryption becomes publicly available for free.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name[email protected] Virus
TypeRansomware
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by [email protected] Virus

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss [email protected] Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is [email protected] Spread?

To infect a high amount of users, the [email protected] ransomware may be included in a spam campaign that aims to spead phishing e-mails that imitate legitimate companies, like PayPal, banking institutions, etc. Such e-mail messages might have topics that are focused on persuading users that their bank accounts are suspended and others.

The main end goal for cyber-criminals is for users to either click on a malicious URL featured in the body of those e-mails or even an e-mail attachment of files, pretending to be:

  • Microsoft Excel Documents.
  • Microsoft Word Documents.
  • Adobe Reader Files.
  • Archives and photos.

As soon as users click on such links or attachments, the payload may be downloaded via a request from the C&C servers of the cyber-criminals.

[email protected] In Detail

After having infected the user, the [email protected] virus may drop it’s payload onto several different folders on the infected Windows machine:

→ C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

The virus targets the %Startup% folder very specifically because it allows it to be automatically executed on System Startup.

[email protected] Ransomware is also believed to delete the volume shadow copies of the computers which it infects. This may happen by executing an administrative command, called vssadmin:

→vssadmin delete shadows /all /quiet

When it begins to encrypt user files, [email protected] crypto malware may look for the most widely used type of files, primarily associated with:

  • Videos.
  • Image files.
  • Audio files.
  • Database files.
  • Files that are associated with programs often used, like Microsoft Office files, for example.

After encryption, the affected files are appended the .XTBL file extension, a unique identification number, and the contact e-mail, similar to other XTBL ransomware variants. An encrypted file by the [email protected] virus looks like the following:

systemdown-ransomware-encrypted-file-xtbl-sensorstechforum

Remove [email protected] Ransomware and Restore .XTBL Encrypted Files

To successfully delete this ransomware from your computer, malware researchers strongly advise using instructions like the ones below, since they are arranged methodologically correct and will help you get rid of this virus. In case you are experiencing difficulties and doubts that you will manually remove [email protected] ransomware, malware researchers advise using an advanced anti-malware program that will automatically scan for and remove the [email protected] threat.

To restore your files, we advise waiting for a direct decryptor being released in public instead of having to pay ransom money to cyber-criminals to restore your files. We also recommend following this blog since we are going to post an update as soon as decryption is available for free. Do not be tempted to attempt direct file-recovery because the Cipher Block Chaining (CBC) mode in this virus may break your files. In the meantime, you may try some of the alternative methods we suggested in step “3. Restore files encrypted by [email protected] Virus.”

Manually delete [email protected] Virus from your computer

Note! Substantial notification about the [email protected] Virus threat: Manual removal of [email protected] Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [email protected] Virus files and objects
2.Find malicious files created by [email protected] Virus on your PC
3.Fix registry entries created by [email protected] Virus on your PC

Automatically remove [email protected] Virus by downloading an advanced anti-malware program

1. Remove [email protected] Virus with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by [email protected] Virus in the future
3. Restore files encrypted by [email protected] Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.