Both CrySiS and Troldesh/Shade Ransomware use an .xtbl
extension on encrypted files.
Any files that are encrypted with CrySiS Ransomware
will have an .<id-number>.<email>.CrySiS
extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt.
Any files that are encrypted by Troldesh/Shade Ransomware
will have an .xtbl
extension appended to the end of the encrypted data filename. Any files that are encrypted by newer variants of Troldesh/Shade Ransomware
are completely renamed with the format Base64(AES_encrypt(original file name)
but still have the .xtbl or .ytbl extension appended to the end of the filename (i.e. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl
You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.