.XTBL ransomware Removal Guide

If your files have suddenly become inaccessible, and you noticed that they have an additional .xtbl file extension added to them, then your computer has been infected with .XTBL ransomware that has encrypted all of your personal files. .xtbl is an extension used by several ransomware-type infections that encrypt files and outright demand that you pay a ransom to purchase the decryption key and get them back. You must remove this infection as soon as possible to get your computer back to normal. Unfortunately, there is no known method for decrypting the files without purchasing the decryption key. .XTBL ransomware uses a strong encryption algorithm — RSA-2048. It is a military grade algorithm that is now available to the general public and cyber criminals capitalize on that.

.XTBL ransomware is usually distributed using email spam or exploit kits that are embedded in malicious websites that contain Adobe Flash or Java elements with which the web browser interacts. Such exploit kits include names such as Phoenix, BlackHole, Rig, Angler, and Nuclear. We do not know which one of these kits this ransomware is set to use, but one thing is for sure — they enter without the user’s knowledge. However, when it is distributed using email spam, the ransomware’s files are hidden in a malicious attachment that may come as a fake PDF file, file archive or a Word document with enabled macros. The methods used to disseminate this ransomware are diverse indeed. Therefore, you must keep your computer safe and secure by investing in an antimalware program that could stop this infection dead in its tracks.

If your computer is unprotected, then it might end up becoming infected with .XTBL ransomware. We want to mention that this particular ransomware has many clones that add the .xtbl extension when they encrypt. The list of clones includes JohnyCryptor Ransomware, Saraswati Ransomware, Redshitline Ransomware and several others. All of these applications use the AES-265 and RSA-2048 encryption algorithms to render your files useless. First it scans the computer for files of interest that may include .mp4, .7z, .rar, .m4a, .wma, .zip, .sie, .sum, .png, .jpeg, .txt, .pptx, .ppt, .xlk, .m3u, .flv, .js, and so on. In all, this ransomware can encrypt over one hundred file types. So it can cause you some serious problems if your computer has important information on it, and that is what the cyber criminals are hoping for. The public RSA-2048 key that encrypts the files requires the primate key to decrypt them, but it is hidden using the AES-265, so you can only get this key by paying the ransom. However, you should not pay it because you might get duped and the cyber criminals might not give you the key, or the key you get might not work.

When .XTBL ransomware enters a computer it usually drops its files in %WINDIR%\SysWOW64 and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Its file names are generated randomly so manually identifying them is a difficult task. Furthermore, it creates two other files named How to decrypt your files.txt and How to decrypt your files.jpg in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. The How to decrypt your files.jpg is set as the desktop wallpaper while How to decrypt your files.txt contains instructions on how to pay the ransom. To our knowledge, most of this ransomware’s clones ask approximately $500 USD that they want you to pay in Bitcoins. The cyber criminals also provide you with instructions on how to buy Bitcoins. Since the files are located in the Startup folder, they are executed each time you boot up your system. This execution acts as a reminder to give the cyber criminals what they want.

However, you should deny them the means to get easy money by not paying the ransom because that way they might give up making them after they see that ransomware in not profitable. However, users that have very important files on their machines take the risk and pay the ransom. Sometimes they get them back, other times they do not, so it is up to you do decide which course of action you should take. If you cannot locate this ransomware or if the deletion is not successful, then use SpyHunter. Testing has shown that this antimalware tool has no problem detecting and removing this infection.

Removal Guide

1. Press Win+E keys on your keyboard.
2. Go to %WINDIR%\SysWOW64 and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
3. Delete How to decrypt your files.txt and How to decrypt your files.jpg and its randomly named executable.