Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Experience with Ransom Virus, .xtbl

  • This topic is locked This topic is locked
2 replies to this topic

#1 MadMoe00


  • Members
  • 3 posts
  • Local time:07:49 PM

Posted 20 May 2016 - 04:40 PM

Hi all,
I recently had an attack with encrypted Ransom Virus where it has changed all my files to originalfilename.orginalextension.id-AA7C30D3{dakinibless@india.com}.xtbl there was a NAS storage attached and another server mapped also as a network drive which were also effected and encrypted. After submitting some files to Kaspersky through a local distribute here I got the word that these files are encrypted through a Public Key and a Private key and they cannot be decrypted. So the last resort was to contact either johnycryptor@aol.com or the email address that is clearly shown on all of the file names.

Long story short after the negotiations done we agreed on 1BTC for the decryption. Yet before sending me the decryptor the hacker has provided an application that searches for supposedly the public keys. Before doing anything I have isolated the server from the network meaning the NAS and the other server network drive, so after a complete successful scan which took around 30 mins the decryptor can out with one key only which I have sent to hacker for the decryption key or also to my limited knowledge the private key. 

After a successful decryption of the files which took a couple of hours I have restored my server. Yet the NAS and other server files where also encrypted under the same name. I have restored the NAS and tried the same decryption utility sent by the hacker specifying the network mapped drive. The utility detected that there were encrypted files but could not decrypt any of the files on the NAS. I did a complete scan with NAS attached to the whole system now the utility came up with 2 Public keys; meaning 1 for the server and the other for the NAS. If I would contact the hacker again of course he will ask for more money to get the other decryption keys for the NAS and the server. So I thought I would post them here and someone can suggest if I already know one public and private keys than if I have a new public key than can I deduct or conclude the decryption private key of the NAS and server?

Any Help would be very much appreciate it!!

And they are as follows:

Encryption public key which was scanned and found on my server:

Decryption private key which was sent by the hacker:

Encryption public key which was scanned and found on NAS:

One thing to note is that regardless of the naming convention done to the files with they are the same to server and NAS the encryption public and private keys are very much different. 




BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,580 posts
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 20 May 2016 - 05:04 PM

So the files on the server and on the NAS had the same ID in the filenames as well?


I believe this is part of Troldesh or another kit. I'm not familiar with what asymmetric encryption algorithm is used. I'm suspecting it is something that uses a 324 byte key based on the keys you provided, but I may be misinterpreting the data.


Would you be able to supply the programs they gave you, including the "public key finder"? You may submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,953 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 20 May 2016 - 07:07 PM

Troldesh is a crypto-ransomware variant created in Russia that appends encrypted data files with an .XTBL or .YTBL extension to the end of each filename using GNU Privacy Guard (GPG) Cryptography, a data encryption and decryption program. GPG uses the OpenPGP standard which includes symmetric as well as asymmetric encryption. In later versions, Kaspersky lab advises the malware added the infected computer’s ID and then the .xtbl extension to the file name like this example... ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl. According to ESET, the newer variants append an additional .<id-random>.<email>.xtbl extension.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections.

To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users