Virus Remove and Restore .XTBL Files - How to, Technology and PC Security Forum |
THREAT REMOVAL Virus Remove and Restore .XTBL Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

veracrypt-ransomware-malware-sensorstechforumRansomware virus belonging to the Troldesh ransomware viruses called virus has been detected by ESG malware researchers to cause infections and run on system startup. Being part of the XTBL ransomware variants the virus is created to generate money by encrypting the files on infected computers with a strong algorithm and sending the decryption key to cyber criminals. After this it asks users to pay a certain “fee” to gain access to their files. In case you have been infected by this ransomware, we advise you to read this article and learn ways of removing it and trying to restore your files.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary
Short DescriptionA variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
SymptomsAfter encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by


Malware Removal Tool

User ExperienceJoin our forum to Discuss Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. Ransomware – How Does It Infect?

The creators of Ransomware may use different strategies to infect users. They have taken into consideration that infection with malware is a bottleneck when it comes to ransomware – from it, the whole outcome of the cyber-crooks making money is dependable. This is why different strategies to replicate malicious URLs and malicious executables may be employed.

Gone are the days when cyber-criminals would directly use the malicious executable to infect a computer. Nowadays, predominantly exploit kits or JavaScript attacks are used. If an executable is dropped on the user PC, however, it may be heavily obfuscated via an obfuscation software that aims to hide it from any real-time shields of antivirus programs. Such obfuscators are usually very expensive, and cyber-criminals invest a great deal in them.

The most widely used distribution method is to replicate files using spam e-mail messages. Such messages usually contain convincing statements in them to get users to open the attachments or click on certain URLs that cause infections via drive-by downloads. This is the main reason why it is strongly advisable to check everything on your email, you believe suspicious before opening it or downloading it on your computer. Ransomware – Detailed Background

As soon as ransomware causes an infection, it may immediately download it’s malicious executables. ESG malware researchers have reported that the virus may connect to a third-party remote host and download the file-encryption .exe object onto the %Startup% folder of the infected computer to make it run on system boot:

→%SystemDrive%\Users\{user’s profile name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{the payload file}.exe

In addition to dropping this file, the virus may also drop other support files, like a .bat file that may automatically run and delete the shadow copies and other backups on the affected computer using the following command:

→vssadmin delete shadows /all /quiet

The “/quiet” suffix is a mode which allows this ransomware to delete any file history and previous versions of files without the user noticing.

When the .exe which encrypts files is ran, it may immediately begin to scan for specific file-types to encrypt. Malware researchers believe that the virus may be configured to look for these specific types of files and encrypt only them:

→.jpg, .jpg2, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .pdf, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .mkv, .mov , .mp4, .mpeg, .mpg, .msg, .myd, .myi, .obj, .odb, .odc, .odm, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .p7b, .p7c, .pcx, .pdd, .pdp, .pem, .pfx, .php, .php3, .php4, .php5, .phtml, .pl, .pm, .pot, .potm, .potx, .pps, .ppsn, .prn, .pst, .ptx, .pxr, .py, .ai3, .ai4, .ai5, .ai6, .arw, .as, .ASA, .ascx, .asmx, .asp, .aspx,. asr, .avi, .bak, .bay, .bz2, .c, .cdr, .cer, .cfc, .cfn, .cfnl, .cin, .chm, .class, .config, .cpp, .crt, .cs, .css, .csv, .cub, .dae, .db, .dc3, .dcm, .der, .dic, .dif, .divx, .djvu, .dl, .dot, .dotm , .dotx, .dpx, .dqy, .dtd, .dwg, .dx, .dxf, .dsn, .dwt, .eps, .exr, .fido,. frm, .gz, .h, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .ind, .ini, .iqy, .j2c, .i2k, .java, .jp2, .jpc, .jpf, .jpx, .js, .jso, .json, .kmz, .lbi, .m4v, .mdb, .mdf, .mef , .mht, .mhtml, .r3d, .rar, .rdf, .rle , .rqy, .rss, .rw2, .rwl, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql,. srw, .ssi, .stn, .svg, .svg2, .swf, .tdi, .tga, .tld, .u3d, .udl, .uxdc, .vcs, .vda, .wbm, .wbmp, .xlk, .xlm, .xltx, .xlw, .xsd, .xsl, .xsc, .xslt, .xz, .wb2, .wim , .wmv, .zip, .3fr, .3gp, .7z

After the encryption process has been finished, the ads it’s trademark – a custom file extension which contains a unique ID, it’s e-mail and one of the two file extensions – .xtbl or CrySiS. These file extensions are very typical for viruses that belong to the XTBL ransomware variants family.

Encrypted files by ransomware look like the following:


The encryption algorithm used by the Ransomware may vary, however most viruses from this family either use just AES cipher to encode the files, or they use this algorithm in combination with RSA encryption of the decryption key which it generates. This is done as a security measure. After encryption, the Ransomware may generate post infection traffic and send the AES decryption key that is RSA encrypted to the malicious servers of the cyber-criminals.

Not only this, but the virus may also contain a so-called CBC (Cipher Block Chaining) mode that is particularly dangerous and may break the files if the user tires to modify them in any way, like use other decryptors to decode them, so if you have encrypted files, we suggest making copies of them straight away. Ransomware – Remove It and Try To Restore Your Files

For conclusion, there are multiple ransomware variants of this virus, and this is a strong indicator that it may be available somewhere in the deep web markets. Every variant of this virus may be different, but most of them have a lot in common as well, suggesting that the ransomware may be created with a toolkit that allows even users that are not tech savvy to configure it according to their standards.

If you want to erase crypto virus from your computer, you should act fast, because this virus may have set a deadline for paying the ransom and may start performing unpleasant activities on your files as soon as this deadline expires. This is why we have created a quick and easy step-by-step tutorial after this article which you should follow. For the fastest and best results, malware researchers also advise downloading an advanced anti-malware program which will not only fully delete this virus with all its support files but will also make sure you are protected in the future as well.

To restore files that have been encoded by the ransomware virus, we suggest the alternative methods in step “3.Restore files encrypted by Ransomware” below. If you are to try directly decrypting your files using any third-party decryptor, we advise you to create copies of the encrypted files and try decrypting them from a safe PC, because this virus may damage the files if you to tamper with them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share