Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


infected with Variant: nomoneynohoney.xtbl, Any decypriton tools for this one?

  • Please log in to reply
2 replies to this topic

#1 Shonuf888


  • Members
  • 1 posts
  • Local time:09:46 AM

Posted 27 October 2016 - 11:31 AM

 Any decypriton tools for this one?


Any help is much appreicated

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,591 posts
  • Gender:Male
  • Location:USA
  • Local time:07:46 AM

Posted 27 October 2016 - 04:04 PM

Have you used ID Ransomware to identify the ransomware? Troldesh/Shade uses similar formats. It is best to upload a ransom note as well as the encrypted file for it to identify by. There are a few other variants going around using the .xtbl extension, but ID Ransomware will pick them up based on known email addresses or patterns with the filenames.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,095 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:46 AM

Posted 27 October 2016 - 04:35 PM

Any files that are encrypted by newer variants of Troldesh/Shade Ransomware are completely renamed with the format Base64(AES_encrypt(original file name) but still have the .xtbl or .ytbl extension appended to the end of the filename (i.e. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl. Troldesh (Shade) leaves files (ransom notes) named README1.txt, READEME2...README10.txt and How to decrypt your files.txt.

Any files that are encrypted with CrySiS Ransomware will have an .<id-number>.<email>.CrySiS or .<id-number>.<email>.xtbl extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users