My client’s computer was hit with this .XTBL ransom virus today. After looking at the PC, I can see that only one drive is affected, files on the other drive attached to computer are intact. Good thing, he has a backup a week before .XTBL virus hits the computer.
Bitcoinrush@aol..com.xtbl is the specific ransomware we found. The format is (original_file_name).(original_extension).id-97501HUIS.bitcoinrush@aol.comxtbl. So the file image1.jpg becomes image1.jpg.bitcoinrush@aol.comxtbl.
When we send emails to provided address, the hacker want us to pay 2.53 Bitcoins. At the current exchange rate, it is around US $1,650. Well, my client does not have that money to pay for the encryption key. In fact, even if we have the budget we will still push for free decrypter of all .xtbl encrypted files. As mentioned, only week of files are infected. Mostly media and images are encrypted, which is not so important but still has value.
Please tell us where to download .xtbl decryption tool. Some sites we have visited are promoting file decryptor tool, however, none of them works realistically.
To give you brief description, .xtbl files are actually infected with Ransom: Win32/Troldesh.A or Trojan-Ransom.Win32.Shade. It encrypts target files using RSA-2048 key which is actually a very complex algorithm. The ransomware then appends the original file with the following:
2. Extract the downloaded file to any preferred location.
3. Double-click on RakhniDecryptor.exe to run the tool.
4. Click on Start Scan button to begin the process of searching for .XTBL encrypted files.
5. RakhniDecryptor will prompt your to specify the path for encrypted files. Navigate to folder containing .XTBL encrypted files. Select supported files types such as Word, Excel, Music, Image, and so on. Never choose Text file on the selection as it may cause errors during decryption process.
6. After selecting file types, click on Open button. RakhniDecryptor will scan the computer for files similar to ones your have chosen. Therefore, you may need to run a separate scan for different files types and extensions.
7. The tool will prompt you once scan and decryption has completed. Click on Details to view the scan results.
8. On Scan results screen, you will have the list of all files successfully decrypted by the tool. You may now close the program and manually delete encrypted files.
Additional Tools
Here are other tools you may use that can decrypt .XTBL file. Please note that it may only work for some variants of Shade/Troldesh virus.
Shade Decryption Tool by McAfee
This is a command line tool that can decrypt some files encrypted by Shade Ransomware (.xtbl, .ytbl, .breaking_bad, .heisenberg).
Requirement: You must have the user ID or 20 alpha-numeric character that can found on the ransom note.
Kaspersky Shade Decryptor
Works for Shade Ransomware versions 1 and 2 (Trojan-Ransom.Wind32.Shade). This tool searches the database for key and automatically decrypt files if ever available.