Decrypting files after a virus. The virus encrypted the files and renamed them

And every year more and more new ones appear... more and more interesting. Most Popular lately a virus (Trojan-Ransom.Win32.Rector) that encrypts all your files (*.mp3, *.doc, *.docx, *.iso, *.pdf, *.jpg, *.rar, etc.) . The problem is that decrypting such files is extremely difficult and time-consuming; depending on the type of encryption, decryption can take weeks, months, or even years. In my opinion, this virus is at the moment, the apogee of danger among other viruses. It is especially dangerous for home computers/laptops, since most users do not back up their data and when encrypting files, they lose all data. For organizations, this virus is less dangerous because they do backups important data and in case of infection, they are simply restored, naturally after the virus is removed. I encountered this virus several times, I will describe how it happened and what it led to.

The first time I encountered a virus that encrypts files was in early 2014. An administrator from another city contacted me and told me the most unpleasant news - All files on the file server are encrypted! The infection occurred in an elementary way - the accounting department received a letter with the attachment “Act of something there.pdf.exe”, as you understand, they opened this EXE file and the process began... he encrypted everything personal files on the computer and went to file server(it was connected by a network drive). The administrator and I started digging for information on the Internet... at that time there was no solution... everyone wrote that there was such a virus, it was not known how to treat it, the files could not be decrypted, perhaps sending the files to Kaspersky, Dr Web or Nod32 would help. You can only send them if you use them antivirus programs(there are licenses). We sent the files to Dr Web and Nod32, the results were 0, I don’t remember what they said to Dr Web, and Nod 32 was completely silent and I didn’t get any response from them. In general, everything was sad and we never found a solution; we restored some of the files from backup.

The second story - just the other day (mid-October 2014) I received a call from an organization asking me to solve a problem with a virus; as you understand, all the files on the computer were encrypted. Here's an example of what it looked like.

As you can see, the extension *.AES256 was added to each file. In each folder there was a file “Attention_open-me.txt” which contained contacts for communication.

When trying to open these files, a program with contacts opened to contact the authors of the virus to pay for decryption. Of course, I do not recommend contacting them, or paying for the code either, since you will only support them financially and it is not a fact that you will receive the decryption key.

The infection occurred during the installation of a program downloaded from the Internet. The most surprising thing was that when they noticed that the files had changed (icons and file extensions had changed), they did nothing and continued to work, while the ransomware continued to encrypt all files.

Attention!!! If you notice encryption of files on your computer (change in icons, change in extension), immediately turn off your computer/laptop and look for a solution from another device (from another computer/laptop, phone, tablet) or contact IT specialists. The longer your computer/laptop is turned on, the more files it will encrypt.

In general, I already wanted to refuse to help them, but I decided to surf the Internet, maybe a solution to this problem had already appeared. As a result of searching, I read a lot of information that it cannot be decrypted, that you need to send files to antivirus companies (Kaspersky, Dr Web or Nod32) - thank you for the experience.
I came across a utility from Kaspersky - RectorDecryptor. And lo and behold, the files were decrypted. Well, first things first...

The first step is to stop the ransomware. You won’t find any antiviruses, because the installed Dr Web didn’t find anything. First of all, I went to startup and disabled all startups (except antivirus). Rebooted the computer. Then I started looking at what kind of files were in startup.

As you can see in the “Command” field it is indicated where the file is located, special attention needs to be removed for applications without a signature (Manufacturer - No data). In general, I found and deleted the malware and files that were not yet clear to me. After that, I cleared temporary folders and browser caches; it is best to use the program for these purposes CCleaner .

Then I started decrypting the files, for this I downloaded decryption program RectorDecryptor . I launched it and saw a rather ascetic interface of the utility.

I clicked “Start scanning” and indicated the extension that all changed files had.

And indicated the encrypted file. In newer versions of RectorDecryptor you can simply specify the encrypted file. Click the "Open" button.

Tada-a-a-am!!! A miracle happened and the file was decrypted.

After this, the utility automatically checks all files on the computer + files on the connected network drive and decrypts them. The decryption process may take several hours (depending on the number of encrypted files and the speed of your computer).

As a result, all encrypted files were successfully decrypted into the same directory where they were originally located.

All that remains is to delete all files with the extension .AES256; this could be done by checking the “Delete encrypted files after successful decryption” checkbox if you click “Change scan parameters” in the RectorDecryptor window.

But remember that it is better not to check this box, because if the files are not successfully decrypted, they will be deleted and in order to try to decrypt them again you will have to first restore .

When you try to delete all encrypted files using standard search and removal, I came across freezes and extremely slow work computer.

Therefore, to remove it, it is best to use the command line, run it and write del"<диск>:\*.<расширение зашифрованного файла>"/f/s. In my case del "d:\*.AES256" /f /s.

Do not forget to delete the files "Attention_open-me.txt", for this in command line use the command del"<диск>:\*.<имя файла>"/f/s, For example
del "d:\Attention_open-me.txt" /f /s

Thus, the virus was defeated and the files were restored. I want to warn you that this method It won’t help everyone, the whole point is that Kapersky in this utility has collected all the known decryption keys (from those files that were sent by those infected with the virus) and uses a brute force method to select the keys and decrypt them. Those. if your files are encrypted by a virus with an unknown key, then this method will not help... you will have to send the infected files to antivirus companies - Kaspersky, Dr Web or Nod32 to decrypt them.

Let us remind you: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on a computer’s hard drive and demand money for decrypting them. Files *.mp3, *.doc, *.docx, *.pdf, *.jpg, *.rar and so on may be encrypted.
It was not possible to personally meet the entire family of this virus, but, as practice shows, the method of infection, treatment and decoding is approximately the same for everyone:
1. the victim is infected through a spam email with an attachment (less often by infectious means),
2. the virus is recognized and removed (already) by almost any antivirus with fresh databases,
3. files are decrypted by selecting password keys for the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently 99% decipherable based on personal experience.

But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be decrypted correctly even by specialists from the Doctor Web company, which actually plays key role in this article.

Now, in order.

At the beginning of August 2013, clients contacted me with the problem of files encrypted by the Trojan.Encoder.225 virus. The virus, at that time, was new, no one knew anything, there were 2-3 thematic Google links on the Internet. After a lengthy search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is the Doctor Web company. Namely: gives recommendations, helps when contacting technical support, develops its own decryptors, etc.

Negative retreat.

And, taking this opportunity, I would like to point out two getting fat minus of Kaspersky Lab. Which, when contacting their technical support, they brush off “we are working on this issue, we will notify you of the results by mail.” And yet, the downside is that I never received a response to the request. After 4 months. Damn the reaction time. And here I am striving for the standard “no more than one hour from completing the application.”
Shame on you, Comrade Evgeniy Kaspersky, general manager Kaspersky Lab. But I have a good half of all companies “sit” on it. Well, okay, licenses expire in January-March 2014. Is it worth talking about whether I will renew my license?;)

I present the faces of “specialists” from “simpler” companies, so to speak, NOT giants of the antivirus industry. They probably just “huddled in a corner” and “cryed quietly.”
Although, what’s more, absolutely everyone was completely screwed. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technologies. And “they”, the GIANTS of the anti-VIRUS industry, supposedly have everything covered, “heuristic analysis”, “preemptive system”, “proactive protection”...

WHERE WERE ALL THESE SUPER-SYSTEMS WHEN THE HR DEPARTMENT WORKER OPENED A “HALMONNESS” LETTER WITH THE SUBJECT “RESUME”???
What was the employee supposed to think?
If YOU cannot protect us, then why do we need YOU at all?

And everything would be fine with Doctor Web, but to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TS), you must provide serial number Dr.Web and don’t forget to select “request for treatment” in the “Request Category:” line or simply provide them with an encrypted file to the laboratory. Let me make a reservation right away that the so-called “ journal keys» Dr.Web, which are posted on the Internet in batches, are not suitable, since they do not confirm the purchase of any software products, and are eliminated once or twice by TP specialists. It’s easier to buy the most “cheap” license. Because if you take on decryption, this license will pay you back a million times over. Especially if the folder with photos “Egypt 2012” was in one copy...

Attempt No. 1

So, having bought a “license for 2 PCs for a year” for an n-amount of money, contacting the TP and providing some files, I received a link to the decryption utility te225decrypt.exe version 1.3.0.0. Anticipating success, I launch the utility (you need to point it to one of the encrypted *. doc files). The utility begins the selection, mercilessly loading the old processor E5300 DualCore, 2600 MHz (overclocked to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
Here, in parallel with me, a colleague on a PC core i5 2500k (overclocked to 4.5ghz) /16 ram 1600/ ssd intel(this is for comparison of time spent at the end of the article).
After 6 days, the utility reported that 7277 files had been decrypted. But the happiness did not last long. All files were decrypted “crookedly”. That is, for example, documents microsoft office open, but with various errors: « Word application there was content in the *.docx document that could not be read" or "The *.docx file cannot be opened due to errors in its content." *.jpg files also open either with an error, or 95% of the image turns out to be a faded black or light green background. For *.rar files - “Unexpected end of archive”.
Overall a complete failure.

Attempt No. 2

We write to TP about the results. They ask you to provide a couple of files. A day later they again provide a link to the te225decrypt.exe utility, but version 1.3.2.0. Well, let's launch, there was no alternative then anyway. About 6 days pass and the utility ends with the error “Unable to select encryption parameters.” Total 13 days “down the drain.”
But we don’t give up, we have important documents from our *stupid* client without basic backups.

Attempt No. 3

We write to TP about the results. They ask you to provide a couple of files. And, as you may have guessed, a day later they provide a link to the same te225decrypt.exe utility, but version 1.4.2.0. Well, let’s launch, there was no alternative, and it never appeared either from Kaspersky Lab, or from ESET NOD32, or from other manufacturers antivirus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports that the files have been decrypted (for a colleague on a core i5, decryption took only 21 hours 10 minutes).
Well, I think it was or wasn’t. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.

Everyone is happy, THE END.

“Where is the story about the Trojan.Encoder.263 virus?”, you ask. And on the next PC, under the table... there was. Everything was simpler there: We write to the Doctor Web TP, get the te263decrypt.exe utility, launch it, wait 6.5 days, voila! and everything is ready. To summarize, I can give some advice from the Doctor Web forum in my edition:

What to do if you are infected with a ransomware virus:
- send to the virus laboratory Dr. Web or in the “Submit suspicious file” form an encrypted doc file.
- Wait for a response from a Dr.Web employee and then follow his instructions.

What NOT to do:
- change the extension of encrypted files; Otherwise, with a successfully selected key, the utility simply will not “see” the files that need to be decrypted.
- use independently, without consulting specialists, any programs for decrypting/recovering data.

Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to *certain frequencies*, 16GB of RAM and SSD Vertex 4.
For everyone active users"habra" use of my resources will be FREE!!!
Write to me in a personal message or through other contacts. I’ve already “eaten the dog” on this. Therefore, I’m not too lazy to put the server on decryption overnight.
This virus is the “scourge” of our time and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.money account 410011278501419, I won’t mind. But this is not at all necessary. Contact us. I process applications in my free time.

New information!

Starting from December 8, 2013, a new virus from the same Trojan.Encoder series began to spread under the Doctor Web classification - Trojan.Encoder.263, but with RSA encryption. This type as of today (12/20/2013) cannot be deciphered, as it uses a very strong encryption method.

I recommend to everyone who has suffered from this virus:
1. Using built-in windows search find all files containing the .perfect extension, copy them to external media.
2. Copy the CONTACT.txt file as well
3. Place this external media “on the shelf”.
4. Wait for the decryptor utility to appear.

What NOT to do:
There is no need to mess with criminals. This is stupid. In more than 50% of cases, after “payment” of approximately 5000 rubles, you will receive NOTHING. No money, no decryptor.
To be fair, it is worth noting that there are those “lucky” people on the Internet who received their files back by decryption for “loot.” But you shouldn't trust these people. If I were a virus writer, the first thing I would do would be to spread information like “I paid and they sent me a decoder!!!”
Behind these “lucky ones” there may be the same attackers.

Well... let's wish good luck to other antivirus companies in creating a utility for decrypting files after the Trojan.Encoder group of viruses.

Special thanks to comrade v.martyanov from the Doctor Web forum for the work done on creating decryption utilities.

Today, computer and laptop users are increasingly faced with malware that replaces files with encrypted copies of them. Essentially, these are viruses. The XTBL ransomware is considered one of the most dangerous in this series. What is this pest, how does it get into the user’s computer, and is it possible to restore damaged information?

What is XTBL ransomware and how does it get into the computer?

If you find files with long name, having the extension .xtbl, then we can say with confidence that the system has been dangerous virus- XTBL encryptor. It affects all versions of Windows OS. It is almost impossible to decrypt such files yourself, because the program uses hybrid mode, in which key selection is simply impossible.

Filled with infected files system directories. Records are added to Windows registry, which automatically launch the virus every time the OS starts.

Almost all types of files are encrypted - graphic, text, archive, email, video, music, etc. It becomes impossible to work in Windows.

How does it work? The XTBL ransomware running on Windows first scans everything logical drives. This includes cloud and network storage located on the computer. As a result, files are grouped by extension and then encrypted. Thus, all valuable information, located in the user's folders, becomes inaccessible.

This is the picture the user will see instead of icons with the names of familiar files

Under the influence of the XTBL ransomware, the file extension changes. Now the user sees the icon blank sheet and a long title ending in .xtbl instead of an image or text in Word. In addition, a message appears on the desktop, a kind of instruction for restoring encrypted information, requiring you to pay for unlocking. This is nothing more than blackmail demanding ransom.

This message appears in the desktop window of your computer.

XTBL ransomware is usually distributed via email. The email contains attached files or documents infected with a virus. The scammer attracts the user with a colorful headline. Everything is done to ensure that the message, which says that you, for example, won a million, is open. Do not respond to such messages, otherwise there is a high risk that the virus will end up in your OS.

Is it possible to recover information?

You can try to decrypt the information using special utilities. However, there is no guarantee that you will be able to get rid of the virus and restore damaged files.

Currently, XTBL ransomware poses an undeniable threat to all computers running Windows OS. Even the recognized leaders in the fight against viruses - Dr.Web and Kaspersky Lab - do not have a 100% solution to this issue.

Removing a virus and restoring encrypted files

Eat different methods and programs that allow you to work with the XTBL encryptor. Some remove the virus itself, others try to decrypt locked files or restore their previous copies.

Stopping a computer infection

If you are lucky enough to notice that files with the .xtbl extension begin to appear on your computer, then it is quite possible to interrupt the process of further infection.

Kaspersky Virus Removal Tool to remove XTBL ransomware

All such programs should be opened in an OS that has previously been launched in safe mode with the option to load network drivers. In this case, it is much easier to remove the virus, since the minimum number of system processes required to start Windows.

To download safe mode in Window XP, 7, during system startup, constantly press the F8 key and after the menu window appears, select the appropriate item. At using Windows 8, 10 you should restart the OS by holding Shift key. During the startup process, a window will open where you can select the required secure boot option.

Selecting safe mode with loading network drivers

Program Kaspersky Virus Removal Tool It perfectly recognizes XTBL ransomware and removes this type of virus. Run a computer scan by clicking the appropriate button after downloading the utility. Once the scan is complete, delete any malicious files found.

Running a computer scan for the presence of XTBL ransomware in Windows OS and then removing the virus

Dr.Web CureIt!

The algorithm for checking and removing a virus is practically no different from the previous version. Use the utility to scan all logical drives. To do this, you just need to follow the commands of the program after launching it. At the end of the process, get rid of the infected files by clicking the “Decontaminate” button.

Neutralization malicious files after scanning Windows

Malwarebytes Anti-malware

The program will carry out a step-by-step check of your computer for the presence of malicious codes and destroy them.

1. Install and run the Anti-malware utility.
2. Select “Run scan” at the bottom of the window that opens.
3. Wait for the process to complete and check the checkboxes with infected files.
4. Delete the selection.

Removing malicious XTBL ransomware files detected during scanning

Online decryptor script from Dr.Web

On the official Dr.Web website in the support section there is a tab with a script for online file decryption. Please note that only those users who have an antivirus from this developer installed on their computers will be able to use the decryptor online.

Read the instructions, fill out everything required and click the “Submit” button

RectorDecryptor decryption utility from Kaspersky Lab

Kaspersky Lab also decrypts files. On the official website you can download the RectorDecryptor.exe utility for versions Windows Vista, 7, 8, by following the menu links “Support - Treatment and decryption of files - RectorDecryptor - How to decrypt files.” Run the program, perform a scan, and then delete encrypted files by selecting the appropriate option.

Scanning and decrypting files infected with XTBL ransomware

Restoring encrypted files from a backup

Starting from Windows versions 7, you can try to restore files from backups.

ShadowExplorer to recover encrypted files

The program is a portable version, it can be downloaded from any media.

QPhotoRec

The program is specially created to recover damaged and deleted files. Using built-in algorithms, the utility finds and returns to original state all lost information.

QPhotoRec is free.

Unfortunately, there is only an English version of QPhotoRec, but understanding the settings is not difficult at all, the interface is intuitive.

1. Launch the program.
2. Mark the logical drives with encrypted information.
3. Click the File Formats button and OK.
4. Select using the Browse button located at the bottom open window, the location to save the files and start the recovery procedure by clicking Search.

QPhotoRec recovers files deleted by XTBL ransomware and replaced with its own copies

How to decrypt files - video

What not to do

1. Never take actions that you are not completely sure of. Better invite a specialist from service center or take the computer there yourself.
2. Don't open Email messages from unknown senders.
3. Under no circumstances should you follow the lead of blackmailers by agreeing to transfer money to them. This will most likely not give any results.
4. Do not manually rename the extensions of encrypted files and do not rush to reinstall Windows. It may be possible to find a solution that will correct the situation.

Prevention

Try to install reliable protection from penetration of XTBL ransomware and similar ransomware viruses onto your computer. Such programs include:

• Malwarebytes Anti-Ransomware;
• BitDefender Anti-Ransomware;
• WinAntiRansom;
• CryptoPrevent.

Despite the fact that they are all English-language, working with such utilities is quite simple. Launch the program and select the protection level in the settings.

Launching the program and selecting the protection level

If you have encountered a ransomware virus that encrypts files on your computer, then, of course, you should not despair right away. Try using the suggested methods for restoring damaged information. This often gives positive result. Do not use to remove XTBL ransomware untested programs from unknown developers. After all, this can only worsen the situation. If possible, install one of the programs on your PC that prevents the virus from working, and carry out regular scheduled Windows scan for the presence of malicious processes.

If the system is infected malware families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:

• When infected Trojan-Ransom.Win32.Rannoh names and extensions will change according to the template locked-<оригинальное_имя>.<4 произвольных буквы> .
• When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file contents (CRYPTENDBLACKDC) .
• When infected Trojan-Ransom.Win32.AutoIt extension changes according to template <оригинальное_имя>@<почтовый_домен>_.<набор_символов> .
  For example, [email protected] _.RZWDTDIC.
• When infected Trojan-Ransom.Win32.CryptXXX extension changes according to templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz And <оригинальное_имя>. cryp1.

RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 And 3 .

How to cure the system

To cure an infected system:

1. Download the RannohDecryptor.zip file.
2. Run RannohDecryptor.exe on the infected machine.
3. In the main window, click Start checking.

1. Specify the path to the encrypted and unencrypted file.
   If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the files yourself large size. Decryption will only be available for files of equal or smaller size.
2. Wait until the end of the search and decryption of encrypted files.
3. Restart your computer if required.
4. To delete a copy of encrypted files like locked-<оригинальное_имя>.<4 произвольных буквы> After successful decryption, select .

If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with the original name.

1. By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).

   The report name is as follows: UtilityName.Version_Date_Time_log.txt

   For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

In a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, it may take time to recover the key for a long time. In this case, the utility displays a warning.

Ransomware hackers are very similar to regular blackmailers. Both in the real world and in the cyber environment, there is a single or group target of attack. It is either stolen or made inaccessible. Next, criminals use certain means of communication with victims to convey their demands. Computer scammers usually choose only a few formats for a ransom letter, but copies can be found in almost any memory location on an infected system. In the case of the spyware family known as Troldesh or Shade, scammers take a special approach when contacting the victim.

Let's take a closer look at this strain of ransomware virus, which is aimed at the Russian-speaking audience. Most similar infections detect the keyboard layout on the attacked PC, and if one of the languages ​​is Russian, the intrusion stops. However, the ransomware virus XTBL indecipherable: unfortunately for users, the attack unfolds regardless of their geographic location and language preferences. A clear embodiment of this versatility is a warning that appears in the desktop background, as well as a TXT file with instructions for paying the ransom.

The XTBL virus is usually spread through spam. Messages are like letters famous brands, or are simply conspicuous because the subject line uses expressions such as “Urgent!” or “Important Financial Documents.” The phishing trick will work when the recipient of such email. messages will download a ZIP file containing JavaScript code, or a Docm object with a potentially vulnerable macro.

Having completed the basic algorithm on a compromised PC, the ransomware Trojan proceeds to search for data that may be of value to the user. For this purpose, the virus scans the local and external memory, simultaneously matching each file with a set of formats selected based on the extension of the object. All .jpg, .wav, .doc, .xls files, as well as many other objects, are encrypted using the AES-256 symmetric block crypto algorithm.

There are two aspects to this harmful impact. First of all, the user loses access to important data. In addition, the file names are deeply encoded, which produces a meaningless set of hexadecimal characters. All that unites the names of the affected files is the xtbl extension added to them, i.e. name of cyber threat. Encrypted file names sometimes have a special format. In some versions of Troldesh, the names of the encrypted objects may remain unchanged, and the unique code: [email protected], [email protected], or [email protected].

Obviously, the attackers, having introduced email addresses. mail directly into the names of the files, indicating to the victims the method of communication. E-mail is also indicated elsewhere, namely in the ransom demand letter contained in the “Readme.txt” file. Such Notepad documents will appear on the Desktop, as well as in all folders with encrypted data. The key message is:

“All files were encrypted. To decrypt them, you need to send the code: [Your unique cipher] to email address [email protected] or [email protected]. Next you will get everything necessary instructions. Attempts to decrypt on your own will lead to nothing but irretrievable loss of information.”

The email address may change depending on the blackmail group spreading the virus.

Regarding further development events: in general outline, the scammers respond with a recommendation to transfer a ransom, which can be 3 bitcoins, or another amount in this range. Please note that no one can guarantee that hackers will fulfill their promise even after receiving the money. To restore access to .xtbl files, affected users are recommended to first try all available alternative methods. In some cases, data can be brought into order using the Volume Shadow Copy service provided directly in the Windows OS, as well as data decryption and data recovery programs from independent software developers.

Remove XTBL ransomware using an automatic cleaner

Exclusively effective method working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: Uninstall the infection and restore files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. . After starting the software, click the button Start Computer Scan(Start scanning).
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files with the extension .xtbl

As noted, the XTBL ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a swipe magic wand- if you do not take into account the payment of an unheard-of ransom amount. But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Decryptor - program automatic recovery files

A very unusual circumstance is known. This infection erases source files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This provides an opportunity for such software how to recover erased objects, even if the reliability of their removal is guaranteed. It is strongly recommended to resort to the file recovery procedure, the effectiveness of which has been confirmed more than once.

Shadow copies of volumes

The approach is based on Windows procedure backup files, which is repeated at each recovery point. Important condition work this method: System Restore must be activated before infection occurs. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select necessary files and start the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the XTBL ransomware virus

Cleaning in manual mode is fraught with the omission of individual pieces of ransomware that can avoid removal as hidden objects operating system or registry items. To eliminate the risk partial preservation individual malicious elements, scan your computer using a reliable universal anti-virus suite.