.XTBL ransomware

Posted by Lisa Blanc on June 2, 2016

What is .XTBL ransomware?

.XTBL ransomware is the newest manifestation of malware that adds the .xtbl file extension when they encrypt files. Removing this and other ransomware in this family is a must to restore your computer’s security because it will render your valuable files useless. This ransomware’s purpose is to extort money from you, so you should not give in and fall into this trap. In this short article, we will overview how this ransomware is distributed, how it works, and how you can get rid of it.

Where does .XTBL ransomware come from?

Cyber security analysts at Anti-spyware-101.com have found that .XTBL ransomware is almost identical to JohnyCryptor Ransomware, Vegclass@aol.com Ransomware, and Saraswati Ransomware. Thus, we have reason to believe that they come from the name developers based in India. We will probably see more ransomware such as this in the near future, so it is important to be prepared. Therefore, we want to discuss this ransomware’s distribution methods.

Malware researchers have discovered that this and other infections like it are disseminated using Email spam and P2P file sharing platforms and security exploits. However, email spam is the most popular channel. Email spam is sent from a dedicated server. The emails are usually disguised as invoices for online purchases, business-related correspondence, and so on. The aim of the game is to make the emails look important and, above all, legitimate. The emails come with an attachment that is usually in the form of a Word or PDF document and they drop their malicious payload when you open them.

Security exploits are also a very popular method for infecting a computer with ransomware. They tend to be embedded into a malicious website, and they exploit vulnerabilities of out of date Adobe Flash and Java-based browser extensions. So you have to keep Adobe Flash and Java updated to minimize the chances of your computer becoming infected with .XTBL ransomware. As you can see, this infection has no shortage of methods to enter your computer, and it does that secretly, so you will not know about the infection until it is too late.

What does .XTBL ransomware do?

When this infection successfully enters a computer, it drops its randomly-named executable in two locations: C:\Windows\System32 and C:\Windows\SysWOW64. Its name should consist of upper and lower case characters and numbers arranged in a random manner. It also creates a registry key that runs it on system start up. This key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.Unfortunately, it is also named randomly using upper and lower case characters and numbers. Finally, it drops How to decrypt your files.jpg, How to decrypt your files.txt and its executable file again in C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. These files are dropped in the Startup folder so that he OS could launch them on every time it boots up.

When all files are in place, this ransomware springs into action and begins scanning the computer for files of interest. Of course, it scans for videos, audio, documents, images, and another type of files that may contain valuable personal information for which you would be willing to pay. It uses the AES-128 encryption algorithm to render your files inaccessible. After the encryption is complete, .XTBL ransomware will start “offering” you to purchase the decryption key to get your files back. However, we do not recommend that you attempt to pay the ransom because the cyber criminals might not give you the key anyway and your files will remain damaged and unusable.

How do I remove .XTBL ransomware?

.XTBL ransomware is a dangerous infection that you ought to remove from your computer as soon as possible. However, getting rid of it fill not fix your files as they will remain encrypted and there is no way to decrypt them without getting the key that is in the possession of the cyber criminals. To eradicate this infection you have to delete its files and registry key, but that may prove tricky as their file names are randomized and consist of lowercase and uppercase characters and numbers. If you experience trouble identifying the ransomware, then use a anti-malware tool such as SpyHunter that will be able to locate and remove it.

How to delete this ransomware’s files

  1. Press Windows+E keys on your keyboard.
  2. In the resulting window’s address bar, enter the following addresses.
    • C:\Windows\System32
    • C:\Windows\SysWOW64
    • C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  3. Identify its executable and (in the third directory) the files named How to decrypt your files.jpg and How to decrypt your files.txt
  4. Right-click on each of them and click Delete.
  5. Empty the Recycle Bin.

Delete the registry key

  1. Press the Windows+R keys on your keyboard.
  2. Enter regedit in the box and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Locate the randomly named string that features Value data C:\Windows\System32\{randomly named.exe}
  5. Right-click on it and click Delete.
100% FREE spyware scan and
tested removal of .XTBL ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *