The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

What is a ransomware virus?

This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

The virus software itself is a tool that encrypts data in such a way that it is not always possible to restore its original state even after removing the threat from the system. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

How does the threat enter the system?

As a rule, threats of this type are mostly aimed at large commercial structures and can penetrate computers through email programs when an employee opens a supposedly attached document in an email, which is, say, an addendum to some kind of cooperation agreement or product supply plan (commercial offers with investments from dubious sources are the first path for the virus).

The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt to it, creating its own copies not only in the network environment, but also on the administrator terminal, if it does not have the necessary means of protection in the form of anti-virus software, firewall or firewall.

Sometimes such threats can penetrate the computer systems of ordinary users, which, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore the warnings of the anti-virus protection system when starting the download, and during the installation process they do not pay attention to offers to install additional software, panels or browser plug-ins, and then, as they say, bite their elbows.

Types of viruses and a little history

In general, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications fall under the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without the initial program it will be impossible to carry out this process. This is partly true.

But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not demand money, was the infamous I Love You applet, which completely encrypted multimedia files (mainly music tracks) on user systems. Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

Method of influencing user files

And if until recently most attacks were carried out using RSA-1024 algorithms based on AES encryption with the same bit depth, the same No_more_ransom ransom virus is now presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

Problems of deciphering the algorithms used

The trouble is that modern decryption systems were powerless in the face of such a danger. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And that's why.

Encryptor virus: how to disinfect and decrypt files and can it be done?

Allegedly, after payment, hackers activate decryption through remote access to their virus, which is sitting on the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about particularly important information, such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

The first remedy to eliminate the threat

This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from Kaspersky Rescue Disk, which can start even before the operating system starts running.

But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that later.

There is another category into which ransomware viruses fall. How to decrypt information will be discussed separately, but for now let’s focus on the fact that they can exist completely openly in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

In this case, you should use the Programs and Features section, where standard uninstallation is performed. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom ransom virus is capable of creating its own folders in the root directories of the system (usually the Csrss directories, where the executable file of the same name csrss.exe is present). The Windows, System32 or user directories (Users on the system drive) are selected as the main location.

In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link, seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

To make it easier, you can use utilities like iObit Uninstaller, which search for residual files and registry keys automatically (but only if the virus is visible on the system as an installed application). But this is the simplest thing you can do.

Solutions offered by antivirus software developers

Decryption of a ransomware virus, it is believed, can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the fault of the presence of a virus body that has not been removed before).

Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being cured will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services take insufficiently effective protection measures (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

A radical solution to the problem

As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original of the damaged file, it can be sent for examination to an anti-virus laboratory. True, there are also very serious doubts about the fact that the average user will create backup copies of data, which, when stored on a hard drive, can also be exposed to malicious code. And the fact that in order to avoid troubles, users copy information to removable media is not discussed at all.

Thus, to radically solve the problem, the conclusion suggests itself: complete formatting of the hard drive and all logical partitions with the removal of information. So what to do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

To do this, you should not use the tools of Windows systems themselves (this means formatting virtual partitions, since if you try to access the system disk, a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, such as those created using the Media Creation Tool for Windows 10.

Before starting formatting, if the virus is removed from the system, you can try to restore the integrity of system components through the command line (sfc /scannow), but this will not have any effect in terms of decrypting and unlocking data. Therefore format c: is the only correct possible solution, whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment with standard remedies offered by most antivirus packages turns out to be powerless.

Instead of an afterword

In terms of the obvious conclusions, we can only say that there is no single and universal solution to eliminate the consequences of this type of threat today (sad, but true - this has been confirmed by the majority of anti-virus software developers and experts in the field of cryptography).

It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system, as it turns out, is no match for modern viruses. What can we say then about attempts to decrypt their keys?

Be that as it may, avoiding the introduction of a threat into the system is quite simple. In the simplest version, you should scan all incoming messages with attachments in Outlook, Thunderbird and other email clients with an antivirus immediately after receipt and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like updating Flash Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent such threats from penetrating into your own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

Finally, the system administrator should not sit idle. It is better to exclude software protection tools in such a situation. The same firewall (firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, a full format (note, not a quick one with clearing the table of contents, but a complete one, preferably with restoration or replacement of the existing file system, boot sectors and records).

Today, computer and laptop users are increasingly faced with malware that replaces files with encrypted copies of them. Essentially, these are viruses. The XTBL ransomware is considered one of the most dangerous in this series. What is this pest, how does it get into the user’s computer, and is it possible to restore damaged information?

What is XTBL ransomware and how does it get into the computer?

If you find files on your computer or laptop with a long name and the extension .xtbl, then you can confidently say that a dangerous virus has entered your system - an XTBL ransomware. It affects all versions of Windows OS. It is almost impossible to decrypt such files on your own, because the program uses a hybrid mode in which selecting a key is simply impossible.

System directories are filled with infected files. Entries are added to the Windows registry that automatically launch the virus every time the OS starts.

Almost all types of files are encrypted - graphic, text, archive, email, video, music, etc. It becomes impossible to work in Windows.

How does it work? An XTBL ransomware running on Windows first scans all logical drives. This includes cloud and network storage located on a computer. As a result, files are grouped by extension and then encrypted. Thus, all valuable information located in the user’s folders becomes inaccessible.

This is the picture the user will see instead of icons with the names of familiar files

Under the influence of the XTBL ransomware, the file extension changes. Now the user sees a blank sheet icon and a long title ending in .xtbl instead of an image or text in Word. In addition, a message appears on the desktop, a kind of instruction for restoring encrypted information, requiring you to pay for unlocking. This is nothing more than blackmail demanding ransom.

This message appears in the desktop window of your computer.

XTBL ransomware is usually distributed via email. The email contains attached files or documents infected with a virus. The scammer attracts the user with a colorful headline. Everything is done to ensure that the message, which says that you, for example, won a million, is open. Do not respond to such messages, otherwise there is a high risk that the virus will end up in your OS.

Is it possible to recover information?

You can try to decrypt the information using special utilities. However, there is no guarantee that you will be able to get rid of the virus and restore damaged files.

Currently, XTBL ransomware poses an undeniable threat to all computers running Windows OS. Even the recognized leaders in the fight against viruses - Dr.Web and Kaspersky Lab - do not have a 100% solution to this issue.

Removing a virus and restoring encrypted files

There are different methods and programs that allow you to work with XTBL encryption. Some remove the virus itself, others try to decrypt locked files or restore their previous copies.

Stopping a computer infection

If you are lucky enough to notice that files with the .xtbl extension begin to appear on your computer, then it is quite possible to interrupt the process of further infection.

Kaspersky Virus Removal Tool to remove XTBL ransomware

All such programs should be opened in an OS that has previously been launched in safe mode with the option to load network drivers. In this case, it is much easier to remove the virus, since the minimum number of system processes required to start Windows is connected.

To load safe mode in Window XP, 7 during system startup, constantly press the F8 key and after the menu window appears, select the appropriate item. When using Windows 8, 10, you should restart the OS while holding the Shift key. During the startup process, a window will open where you can select the required secure boot option.

Selecting safe mode with loading network drivers

The Kaspersky Virus Removal Tool program perfectly recognizes XTBL ransomware and removes this type of virus. Run a computer scan by clicking the appropriate button after downloading the utility. Once the scan is complete, delete any malicious files found.

Running a computer scan for the presence of XTBL ransomware in Windows OS and then removing the virus

Dr.Web CureIt!

The algorithm for checking and removing a virus is practically no different from the previous version. Use the utility to scan all logical drives. To do this, you just need to follow the commands of the program after launching it. At the end of the process, get rid of the infected files by clicking the “Decontaminate” button.

Neutralize malicious files after scanning Windows

Malwarebytes Anti-malware

The program will carry out a step-by-step check of your computer for the presence of malicious codes and destroy them.

1. Install and run the Anti-malware utility.
2. Select “Run scan” at the bottom of the window that opens.
3. Wait for the process to complete and check the checkboxes with infected files.
4. Delete the selection.

Removing malicious XTBL ransomware files detected during scanning

Online decryptor script from Dr.Web

On the official Dr.Web website in the support section there is a tab with a script for online file decryption. Please note that only those users who have this developer’s antivirus installed on their computers will be able to use the decryptor online.

Read the instructions, fill out everything required and click the “Submit” button

RectorDecryptor decryption utility from Kaspersky Lab

Kaspersky Lab also decrypts files. On the official website you can download the RectorDecryptor.exe utility for versions of Windows Vista, 7, 8 by following the menu links “Support - File disinfection and decryption - RectorDecryptor - How to decrypt files”. Run the program, perform a scan, and then delete encrypted files by selecting the appropriate option.

Scanning and decrypting files infected with XTBL ransomware

Restoring encrypted files from a backup

Starting with Windows 7, you can try to restore files from backups.

ShadowExplorer to recover encrypted files

The program is a portable version, it can be downloaded from any media.

QPhotoRec

The program is specially created to recover damaged and deleted files. Using built-in algorithms, the utility finds and returns all lost information to its original state.

QPhotoRec is free.

Unfortunately, there is only an English version of QPhotoRec, but understanding the settings is not difficult at all, the interface is intuitive.

1. Launch the program.
2. Mark the logical drives with encrypted information.
3. Click the File Formats button and OK.
4. Using the Browse button located at the bottom of the open window, select the location to save the files and start the recovery procedure by clicking Search.

QPhotoRec recovers files deleted by XTBL ransomware and replaced with its own copies

How to decrypt files - video

What not to do

1. Never take actions that you are not completely sure of. It’s better to invite a specialist from the service center or take the computer there yourself.
2. Do not open Email messages from unknown senders.
3. Under no circumstances should you follow the lead of blackmailers by agreeing to transfer money to them. This will most likely not give any results.
4. Do not manually rename the extensions of encrypted files and do not rush to reinstall Windows. It may be possible to find a solution that will correct the situation.

Prevention

Try to install reliable protection against penetration of XTBL ransomware and similar ransomware viruses onto your computer. Such programs include:

• Malwarebytes Anti-Ransomware;
• BitDefender Anti-Ransomware;
• WinAntiRansom;
• CryptoPrevent.

Despite the fact that they are all English-language, working with such utilities is quite simple. Launch the program and select the protection level in the settings.

Launching the program and selecting the protection level

If you have encountered a ransomware virus that encrypts files on your computer, then, of course, you should not despair right away. Try using the suggested methods for restoring damaged information. Often this gives a positive result. Do not use unverified programs from unknown developers to remove XTBL ransomware. After all, this can only worsen the situation. If possible, install one of the programs on your PC that prevents the virus from running, and conduct regular routine scans of Windows for malicious processes.

The first ransomware Trojans of the Trojan.Encoder family appeared in 2006-2007. Since January 2009, the number of their varieties has increased by approximately 1900%! Currently, Trojan.Encoder is one of the most dangerous threats for users, having several thousand modifications. From April 2013 to March 2015, the Doctor Web virus laboratory received 8,553 requests to decrypt files affected by encoder Trojans.
Encryption viruses have almost won first place in requests to information security forums. Every day, on average, 40 requests for decryption are received only by the employees of the Doctor Web virus laboratory from users infected with various types of encryption Trojans ( Trojan.Encoder, Trojan-Ransom.Win32.Xorist, Trojan-Ransom.Win32.Rector, Trojan.Locker, Trojan.Matsnu, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.GpCode, Digital Safe, Digital Case, lockdir.exe, rectorrsa, Trojan-Ransom.Win32.Rakhn, CTB-Locker, vault and so on). The main signs of such infections are changing the extensions of user files, such as music files, image files, documents, etc., when you try to open them, a message appears from the attackers demanding payment for obtaining a decryptor. It is also possible to change the background image of the desktop, the appearance of text documents and windows with corresponding messages about encryption, violation of license agreements, etc. Encryption Trojans are especially dangerous for commercial companies, since lost data from databases and payment documents can block the company’s work for an indefinite period of time, leading to loss of profits.

Trojans from the Trojan.Encoder family use dozens of different algorithms for encrypting user files. For example, to find the keys to decrypt files encrypted by the Trojan.Encoder.741 using a brute force method, you will need:
107902838054224993544152335601 year

Decryption of files damaged by the Trojan is possible in no more than 10% of cases. This means that most user data is lost forever.

Today, ransomware demands up to 1,500 bitcoins.

Even if you pay a ransom to the attacker, it will not give you any guarantee of data recovery.

It comes to oddities - a case was recorded when, despite the ransom paid, the criminals were unable to decrypt files encrypted by the Trojan.Encoder they created, and sent the affected user for help... to the technical support service of an antivirus company!

How does infection occur?

• Through email attachments; Using social engineering, attackers force the user to open the attached file.
• Using Zbot infections disguised as PDF attachments.
• Through exploit kits located on hacked websites that exploit vulnerabilities on the computer to install an infection.
• Through Trojans that offer to download the player necessary to watch online videos. This usually happens on porn sites.
• Via RDP, using password guessing and vulnerabilities in this protocol.
• Using infected keygens, cracks and activation utilities.

In more than 90% of cases, users launch (activate) ransomware on their computers with their own hands.

When using RDP password guessing, an attacker he comes in on his own under a hacked account, turns it off himself or downloads an antivirus product and launches itself encryption.

Until you stop being scared of letters with the headings “Debt”, “Criminal Proceedings”, etc., attackers will take advantage of your naivety.

Think about it... Learn yourself and teach others the simplest basics of safety!

• Never open attachments from emails received from unknown recipients, no matter how scary the header may be. If the attachment arrived as an archive, take the trouble to simply view the contents of the archive. And if there is an executable file (extension .exe, .com, .bat, .cmd, .scr), then this is 99.(9)% a trap for you.
• If you are still afraid of something, do not be lazy to find out the true email address of the organization from whose behalf the letter was sent to you. This is not so difficult to find out in our information age.
• Even if the sender’s address turns out to be true, do not be lazy to check by phone whether such a letter has been sent. The sender's address can be easily faked using anonymous smtp servers.
• If the sender says Sberbank or Russian Post, then this does not mean anything. Normal letters should ideally be signed with an electronic signature. Please carefully check the files attached to such emails before opening them.
• Regularly make backup copies of information on separate media.
• Forget about using simple passwords that are easy to guess and get into the organization’s local network using your data. For RDP access, use certificates, VPN access, or two-factor authentication.
• Never work with Administrator rights, pay attention to messages UAC even if they have "Blue colour" signed application, do not click "Yes", if you have not run installations or updates.
• Regularly install security updates not only for the operating system, but also for application programs.
• Install password for antivirus program settings, different from the account password, enable the self-defense option

What to do in case of infection?

Let us quote the recommendations of Dr.Web and Kaspersky Lab:

• immediately turn off your computer to stop the Trojan, the Reset button on your computer can save a significant part of the data;
• Comment site: Despite the fact that such a recommendation is given by well-known laboratories, in some cases its implementation will complicate decryption, since the key may be stored in RAM and after rebooting the system, it will be impossible to restore it. To stop further encryption, you can freeze the execution of the ransomware process using Process Explorer or for further recommendations.

Spoiler: Footnote

No encoder is capable of encrypting all the data instantly, so until the encryption is completed, some part of it remains untouched. And the more time has passed since the start of encryption, the less untouched data remains. Since our task is to save as many of them as possible, we need to stop the operation of the encoder. You can, in principle, start analyzing the list of processes, look for where the Trojan is in them, try to terminate it... But, believe me, unplugging the power cord is much faster! Shutting down Windows normally is not a bad alternative, but it may take some time, or the Trojan may interfere with it through its actions. So my choice is to pull the cord. Undoubtedly, this step has its drawbacks: the possibility of damaging the file system and the impossibility of further taking a RAM dump. For an unprepared person, a damaged file system is a more serious problem than an encoder. At least the files remain after the encoder, but damage to the partition table will make it impossible to boot the OS. On the other hand, a competent data recovery specialist will repair the same partition table without any problems, but the encoder may simply not have time to reach many files.

To initiate criminal proceedings against attackers, law enforcement agencies need a procedural reason - your statement about the crime. Sample application

Be prepared for your computer to be seized for some time for examination.

If they refuse to accept your application, receive a written refusal and file a complaint with a higher police authority (the police chief of your city or region).

• Do not under any circumstances try to reinstall the operating system;
• do not delete any files or email messages on your computer;
• do not run any “cleaners” of temporary files and registry;
• You should not scan and treat your computer with antiviruses and antivirus utilities, and especially with antivirus LiveCDs; as a last resort, you can move infected files to antivirus quarantine;

Spoiler: Footnote

For decryption, an inconspicuous 40-byte file in a temporary directory or an incomprehensible shortcut on the desktop may be of greatest importance. You probably don't know whether they will be important for decryption or not, so it's better not to touch anything. Cleaning the registry is generally a dubious procedure, and some encoders leave traces of operation there that are important for decoding. Antiviruses, of course, can find the body of an encoder Trojan. And they can even delete it once and for all, but then what will be left for analysis? How will we understand how and what the files were encrypted with? Therefore, it is better to leave the animal on the disk. Another important point: I do not know of any system cleaning product that takes into account the possibility of the encoder operating and retains all traces of its operation. And, most likely, such funds will not appear. Reinstalling the system will definitely destroy all traces of the Trojan, except for encrypted files.

• do not try to recover encrypted files on one's own;

Spoiler: Footnote

If you have a couple of years of writing programs under your belt, you really understand what RC4, AES, RSA are and what the differences are between them, you know what Hiew is and what 0xDEADC0DE means, you can give it a try. I don't recommend it to others. Let's say you found some miracle method for decrypting files and you even managed to decrypt one file. This is not a guarantee that the technique will work on all your files. Moreover, this is not a guarantee that using this method you will not damage the files even more. Even in our work there are unpleasant moments when serious errors are discovered in the decryption code, but in thousands of cases up to this point the code has worked as it should.

Now that it is clear what to do and what not to do, you can start deciphering. In theory, decryption is almost always possible. This is if you know all the data necessary for it or have an unlimited amount of money, time and processor cores. In practice, something can be deciphered almost immediately. Something will wait its turn for a couple of months or even years. In some cases, you don’t even have to tackle it: no one will rent a supercomputer for free for 5 years. It’s also bad that a seemingly simple case turns out to be extremely complex when examined in detail. It's up to you to decide who to contact.

• contact the anti-virus laboratory of a company that has a department of virus analysts dealing with this problem;
• Attach a Trojan-encrypted file to the ticket (and, if possible, an unencrypted copy of it);
• wait for the virus analyst's response. Due to the high volume of requests, this may take some time.

How to recover files?

Addresses with forms for sending encrypted files:

• Dr.Web (Applications for free decryption are accepted only from users of the comprehensive Drweb antivirus)
• Kaspersky Lab (Requests for free decryption are accepted only from users of Kaspersky Lab commercial products)
• ESET, LLC ( Applications for free decryption are accepted only from users of ESET commercial products)
• The No More Ransom Project (selection of codebreakers)
• Encryptors - extortionists (selection of decipherers)
• ID Ransomware (selection of decryptors)

We We absolutely do not recommend restore files yourself, since if you do it ineptly, you can lose all the information without restoring anything!!! In addition, recovery of files encrypted by certain types of Trojans it's simply impossible due to the strength of the encryption mechanism.

Deleted file recovery utilities:
Some types of encryption Trojans create a copy of the encrypted file, encrypt it, and delete the original file. In this case, you can use one of the file recovery utilities (it is advisable to use portable versions of the programs, downloaded and recorded on a flash drive on another computer):

• R.saver
• Recuva
• JPEG Ripper - utility for recovering damaged images
• JPGscan description)
• PhotoRec - a utility for restoring damaged images (description)

Method to solve problems with some versions Lockdir

Folders encrypted with some versions of Lockdir can be opened using an archiver 7-zip

After successful data recovery, you need to check the system for malware; to do this, you should run and create a topic describing the problem in the section

Recovering encrypted files using the operating system.

In order to restore files using the operating system, you must enable system protection before the ransomware Trojan gets onto your computer. Most ransomware Trojans will try to delete any shadow copies on your computer, but sometimes this will fail (if you do not have administrative privileges and Windows updates are installed), and you will be able to use shadow copies to recover damaged files.

Please remember that the command to delete shadow copies:

Code:

Vssadmin delete shadows

works only with administrator rights, so after enabling protection, you must work only as a user with limited rights and carefully pay attention to all UAC warnings about an attempt to escalate rights.

Spoiler: How to enable system protection?

How to restore previous versions of files after they are damaged?

Note:

Restoring from the properties of a file or folder using the “Previous Versions” tab is available only in editions of Windows 7 not lower than “Professional”. Home editions of Windows 7 and all editions of newer Windows operating systems have a workaround (under the spoiler).

Spoiler

Second way - this is the use of the utility ShadowExplorer(you can download both the installer and the portable version of the utility).

Run the program
Select the drive and date for which you want to recover files

Select the file or folder to recover and right-click on it
Select menu item Export and specify the path to the folder where you want to restore files from the shadow copy.

Ways to protect yourself from ransomware Trojans

Unfortunately, methods of protecting against ransomware Trojans for ordinary users are quite complicated, since they require security policy or HIPS settings that allow access to files only to certain applications and do not provide 100% protection in cases where a Trojan is embedded in the address space of a trusted application. Therefore, the only available method of protection is to back up user files to removable media. Moreover, if such media is an external hard drive or flash drive, these media should be connected to the computer only for the duration of the backup and be disconnected the rest of the time. For greater security, backups can be performed by booting from LiveCD. Backups can also be carried out on the so-called " cloud storage" provided by some companies.

Setting up anti-virus programs to reduce the likelihood of infection by ransomware Trojans.

Applies to all products:

It is necessary to enable the self-defense module and set a complex password for the antivirus settings!!!

Typically, malware is aimed at gaining control of a computer, connecting it to a zombie network, or stealing personal data. An inattentive user may not notice for a long time that the system is infected. But encryption viruses, in particular xtbl, work completely differently. They make user files unusable by encrypting them with a complex algorithm and demanding a large sum from the owner for the opportunity to restore the information.

Cause of the problem: xtbl virus

The xtbl ransomware virus got its name because user documents encrypted with it receive the .xtbl extension. Typically, encoders leave a key in the body of the file so that a universal decoder program can restore the information in its original form. However, the virus is intended for other purposes, so instead of a key, an offer to pay a certain amount using anonymous details appears on the screen.

How the xtbl virus works

The virus gets onto the computer through emails sent with infected attachments, which are office application files. After the user has opened the contents of the message, the malware begins searching for photos, keys, videos, documents, etc., and then, using an original complex algorithm (hybrid encryption), turns them into xtbl storage.

The virus uses system folders to store its files.

The virus adds itself to the startup list. To do this, he adds entries in the Windows registry in the sections:

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce;
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run;
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

The infected computer works stably, the system does not crash, but there is always a small application (or two) with an unclear name in the RAM. And the folders with the user’s work files take on a strange appearance.

A message appears on the desktop instead of the screen saver:

Your files have been encrypted. To decrypt them, you need to send the code to the email address: [email protected](code follows). You will then receive further instructions. Independent attempts to decrypt files will lead to their complete destruction.

The same text is contained in the generated file How to decrypt your files.txt. Email address, code, requested amount may change.

Quite often, some scammers make money from others - the ransomware e-wallet number is inserted into the body of the virus, and they have no way to decrypt the files. So a gullible user, having sent money, receives nothing in return.

Why you shouldn't pay extortionists

It is impossible to agree to cooperate with extortionists not only because of moral principles. This is also unreasonable from a practical point of view.

Fraud. It is not a fact that attackers will be able to decrypt your files. One of the supposedly decrypted photographs returned to you does not serve as evidence - it may simply be the original stolen before encryption. The money you paid will go to waste.

Possibility of repetition. By confirming your willingness to pay, you will become a more desirable prey for a second attack. Perhaps next time your files will have a different extension and a different message will appear on the splash screen, but the money will go to the same people.

Confidentiality. While the files are encrypted, they are located on your computer. Having agreed with the “honest villains”, you will be forced to send them all your personal information. The algorithm does not provide for obtaining a key and decrypting it yourself, only sending files to the decoder.

Computer infection. Your computer is still infected, so decrypting files is not a complete solution to the problem.

How to protect your system from a virus

Universal rules for protecting against malware and minimizing damage will help in this case too.

Beware of random connections. Avoid opening emails from unknown senders, including advertisements and bonus offers. As a last resort, you can read them by first saving the attachment on disk and scanning it with an antivirus.

Use protection. Antivirus programs are constantly expanding libraries of malicious codes, so the current version of the defender will not allow most viruses to enter your computer.

Distribute access. The virus will do much more harm if it enters through an administrator account. It is better to work on behalf of the user, thereby sharply narrowing the possibilities of infection.

Create backups. Important information should be regularly copied to external media stored separately from the computer. Also, do not forget about creating backup Windows restore points.

Is it possible to recover encrypted information?

The good news is that data recovery is possible. The bad: you won’t be able to do it yourself. The reason for this is the peculiarity of the encryption algorithm, the selection of a key for which requires much more resources and accumulated knowledge than the average user has. Fortunately, antivirus developers make it a point of honor to deal with every piece of malware, so even if they currently cannot cope with your ransomware, they will definitely find a solution in a month or two. You'll have to be patient.

Due to the need to contact specialists, the algorithm for working with an infected computer is changing. The general rule is: the fewer changes, the better. Antiviruses determine the treatment method based on the “generic characteristics” of the malware, so infected files are a source of important information for them. They should be removed only after the main problem has been resolved.

Second rule: interrupt the virus at any cost. Perhaps he has not yet corrupted all the information, and there are also traces of the encryptor left in the RAM, with the help of which you can identify it. Therefore, you need to immediately turn off the computer from the network, and turn off the laptop by long pressing the network button. This time, the standard “gentle” shutdown procedure, which allows all processes to end correctly, will not work, since one of them is the encoding of your information.

Recovering encrypted files

If you managed to turn off your computer

If you managed to turn off your computer before the encryption process was completed, you do not need to turn it on yourself. Take the “patient” straight to the specialists; interrupted encoding significantly increases the chances of saving personal files. Here you can safely check your storage media and create backup copies. It is highly likely that the virus itself will be known, so treatment for it will be successful.

If encryption has completed

Unfortunately, the likelihood of successfully interrupting the encryption process is very low. Usually the virus manages to encode files and remove unnecessary traces from the computer. And now you have two problems: Windows is still infected, and your personal files have turned into a bunch of characters. To solve the second problem, you need to take help from antivirus software manufacturers.

Dr.Web

Dr.Web laboratory provides its decryption services free of charge only to commercial license holders. In other words, if you are not yet their client, but want to recover your files, you will have to buy the program. Given the current situation, this is a necessary investment.

The next step is to go to the manufacturer’s website and fill out the input form.

If among the encrypted files there are some, copies of which are stored on external media, their transfer will greatly facilitate the work of decoders.

Kaspersky

Kaspersky Lab has developed its own decryption utility called RectorDecryptor, which can be downloaded to your computer from the company’s official website.

Each version of the operating system, including Windows 7, has its own utility. After downloading it, click the “Start scan” on-screen button.

The operation of services may take some time if the virus is relatively new. In this case, the company usually sends a corresponding notice. Sometimes decryption can take several months.

Other services

There are more and more services with similar functions, which indicates the demand for decryption services. The algorithm of actions is the same: go to the site (for example, https://decryptcryptolocker.com/), register and send the encrypted file.

Decryption programs

There are a lot of offers of “universal decryptors” (paid, of course) on the Internet, but their usefulness is questionable. Of course, if the virus manufacturers themselves write a decryptor, it will work successfully, but the same program will be useless for another malicious application. In addition, specialists who regularly deal with viruses usually have a full package of necessary utilities, so they are likely to have all working programs. Buying such a decryptor will most likely be a waste of money.

How to decrypt files using Kaspersky Lab - video

Self-recovery of information

If for some reason you cannot contact third-party specialists, you can try to recover the information yourself. Let us make a reservation that in case of failure, the files may be permanently lost.

Recovering deleted files

After encryption, the virus deletes the original files. However, Windows 7 stores all deleted information for some time in the form of a so-called shadow copy.

ShadowExplorer

ShadowExplorer is a utility designed to recover files from their shadow copies.

To install, go to the developer’s website and download the archive, after unpacking it the executable module will be stored in the ShadowExplorerPortable folder with the same name. A quick launch shortcut will appear on your desktop.

All further actions are intuitive. Launch the program and in the window at the top left, select the disk on which the data was stored and the date the shadow copy was created. You need the most recent date.

Now find the section that contained the working files and right-click on it. In the context menu that opens, select Export, then specify the path to save the recovered files. The program will find all existing shadow copies in this folder and export them to their destination.

PhotoRec

The free PhotoRec utility works on the same principle, but in batch mode.

Download the archive from the developer's website and extract it to disk. The executable file is called QPhotoRec_Win.

After launching the application, a dialog box will show a list of all available disk devices. Select the location where the encrypted files were stored and specify the path to save the recovered copies.

For storage, it is better to use external media, for example, a USB flash drive, since each write to the disk is dangerous by erasing shadow copies.

Once you have selected the desired directories, click the File Formats button.

The menu that opens is a list of file types that the application can recover. By default, there is a checkmark next to each one, but to speed up the work, you can remove the extra checkboxes, leaving only those corresponding to the types of files being restored. When you have finished making your selection, press the “OK” screen button.

Once the selection is complete, the Search softkey becomes available. Click it. The recovery procedure is a labor-intensive process, so be patient.

After waiting for the process to complete, press the Quit on-screen button and exit the program.

The recovered files are located in the previously specified directory and are divided into folders with the same names recup_dir.1, recup_dir.2, recup_dir.3 and so on. Go through each one one by one and return them to their previous names.

Virus removal

Since the virus got onto the computer, the installed security programs did not cope with their task. You can try to use outside help.

Important! Removing the virus disinfects the computer, but does not restore encrypted files. Additionally, installing new software may damage or erase some of the shadow copies of files needed to restore them. Therefore, it is better to install applications on other drives.

Kaspersky Virus Removal Tool

A free program from a well-known antivirus software developer, which can be downloaded from the Kaspersky Lab website. After launching Kaspersky Virus Removal Tool, it immediately prompts you to start scanning.

After clicking the large on-screen “Start scan” button, the program starts scanning the computer.

All that remains is to wait until the scanning is completed and remove the uninvited guests found.

Malwarebytes Anti-malware

Another antivirus software developer that provides a free version of the scanner. The algorithm of actions is the same:

Download the installation file for Malwarebytes Anti-malware from the manufacturer’s official page, then run the installation program by answering the questions and clicking the “Next” button.

The main window will prompt you to immediately update the program (a useful procedure that refreshes the virus database). After this, start the scan by clicking on the appropriate button.

Malwarebytes Anti-malware scans the system step by step, displaying intermediate results on the screen.

Found viruses, including ransomware, are displayed in the final window. Get rid of them by clicking the "Remove Selected" on-screen button.

To correctly remove some malicious applications, Malwarebytes Anti-malware will suggest rebooting the system; you must agree to this. After Windows resumes, the antivirus will continue cleaning.

What not to do

The XTBL virus, like other encryption viruses, causes damage to both the system and user information. Therefore, to reduce possible damage, some precautions should be taken:

1. Don't wait for encryption to finish. If file encryption has begun before your eyes, you should not wait for it to end or try to interrupt the process using software. Immediately turn off the computer's power and call a specialist.
2. Do not try to remove the virus yourself if you can trust professionals.
3. Do not reinstall the system until treatment is completed. The virus will safely infect the new system.
4. Do not rename encrypted files. This will only complicate the work of the decoder.
5. Do not try to read infected files on another computer until the virus is removed. This may lead to the spread of infection.
6. Don't pay extortionists. This is useless and encourages virus creators and scammers.
7. Don't forget about prevention. Installing an antivirus, regular backups, and creating restore points will significantly reduce the possible damage from malware.

Treating a computer infected with an encryption virus is a long and not always successful procedure. Therefore, it is so important to take precautions when obtaining information from the network and working with unverified external media.

Read, how to protect yourself from ransomware virus infection and remove XTBL from a computer. Is it worth paying the ransom, and how to recover files encrypted by ransomware. Ransomware viruses are one of the worst cyber infections you can encounter. It’s not for nothing that they enjoy such a reputation on the Internet, since this is a truly scary tool.

All ransomware is designed according to the same principle. Slipping into your system undetected, they begin to encrypt your files in order to later demand a ransom from you for access to them.

Content:

Ransomware virus

If you suddenly find one or all of your files renamed with an XTBL or other unknown file extension, you're out of luck - you've encountered a ransomware virus. You will soon receive a message asking you to pay to unlock your files. Sometimes this can be a window with text, sometimes a text Readme document on the desktop or even in each file folder. The message to the user can be duplicated in several languages ​​other than English and contains all the requirements of the attackers who created the virus.

It would seem easier to pay to get rid of such a virus, but this is not so. Regardless of the demands of the virus, do not agree to them - it will deal a double blow to you. Your locked files will most likely be unrecoverable - accept this and don't send money to unlock the files. Otherwise, in addition to files, you will also lose money.

You may receive a message with the following content:

“All files on your computer including videos, photos and documents have been encrypted. Encryption was performed using a unique public key generated for this computer. To decrypt files you must use a private key.
The only copy of this key is stored on a secret server on the Internet. The key will be automatically destroyed after 7 days and no one will be able to access the files."

How a computer could become infected with a ransomware virus

A ransomware virus cannot appear on your computer through magic. It consists of several elements, the installation of which must be approved by you personally. Of course, the virus did not do this openly, it was done with the help of tricks and deception.

For example, one of the most popular penetration methods is the use of free programs, corrupted sites or links. The infection may also be disguised as a Java or Flash Player update. You will be confident that you are installing updates for a program you know and will give the green light to install a dangerous and harmful infection.

To avoid getting into an unpleasant situation, be careful and careful. Do not rush to take any action if you are not sure about it. The main reason for getting a virus is user negligence.

Removing the XTBL extension or changing file names

Why is the XTBL file extension so dangerous? The ransomware program will find all your files, including images, videos, music, documents and carry out an encryption procedure with them. Files of any format will be encrypted: doc, .docx, .docm, .wps, .xls, .xlsx, .ppt, .pptx, .pptm, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .mp3, .lnk, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt. Nothing will protect them. Once encryption is complete, the extensions of all files will be changed to XTBL and they will no longer be opened.

Changing the file name or removing the XBTL extension will not restore access to the files. To do this, they need to be decrypted using a private key. To obtain this key, you must fulfill all the conditions of the ransomware. But ask yourself this question: Can you trust the attackers who infected your computer? Of course not, keep in mind that the rules of the game are not initially in your favor.

Is it worth paying for a decryption key?

What's the best scenario you can hope for? You pay the ransom and let’s say you get a key to decrypt your files, let’s say it works and your files are unlocked. But what next? What will protect your data from being re-encrypted the next day? Nothing.

By paying for access to files, you will not only lose money, but also give access to your personal and financial information to scammers who developed the virus. Don't let anyone interfere in your personal life. The amount asked for a decryption key often exceeds $500. Answer yourself this question: are you ready to open up your personal data and banking information to scammers, and lose an additional $500 in exchange for a ghostly promise to decrypt your files? Set your priorities right!

Instructions for removing ransomware virus

1. Remove the malicious process using the process manager;
2. Show hidden files

Remove the malicious process using Process Manager

Show hidden files

• Go to any folder
• Select File - Change folder and search options.
• Go to bookmark "View".
• Enable the option "Show hidden files and folders".
• Turn off the option "Hide protected system files".
• Click Apply to Folders, then Apply And OK.

Determine the location of the virus

1. Immediately after loading the operating system, press the Windows + R key combination.
2. In the dialog box, enter Regedit. Be careful when editing the Windows registry, this may make the system inoperable.
   Depending on your OS (x86 or x64) go to branch
   or
   or
   and delete the parameter with the automatically generated name.

Alternatively you can run msconfig and additionally double-check the virus launch point. Please note that process, folder and executable file names will be automatically generated for your computer and will differ from the examples shown. Therefore, it is worth using a professional antivirus program to identify and remove the virus if you are not confident in your abilities.

Recover files encrypted by XTBL virus

If you still have a backup copy of your important files, you are lucky; restore the files from the copy after treatment for the virus. The backup could take place either using a program you configured or without your intervention using one of the Windows OS tools: file history, restore points, system image backup.

If you are working on a computer connected to an enterprise network, contact your network administrator for help. Most likely the backup was set up by him. If your search for a backup is unsuccessful, try a data recovery program.

During encryption, the virus creates a new file and writes the encrypted contents of the original file into it. After which the original file is deleted, so you can try to restore it. Download and install Hetman Partition Recovery. Perform a full disk scan, the program will display files available for recovery. Of course, you won't be able to get all your files back this way, but that's something!