Threat Database Ransomware Ransomware Ransomware

By CagedTech in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 9
First Seen: August 23, 2016
OS(es) Affected: Windows

The Ransomware belongs to an extensive family of ransomware that can be identified because of its use of the extension '.XBTL' to mark the files that have been encrypted. Like other ransomware Trojans, the Ransomware is designed to take the victim's files hostage by encrypting them with a strong encryption algorithm. The Ransomware belongs to a large family of ransomware that uses email addresses and tends to target enterprise systems rather than individuals. Some of the most threatening attacks attributed to threats in the Ransomware's family have been on servers belonging to certain businesses, resulting in significant monetary losses and affecting numerous customers. PC security analysts advise computer users to not pay the Ransomware's ransom since this is what allows con artists to continue creating variants in this threat family. Instead, you should have a robust backup policy so that encrypted files can be restored from a backup version quickly.

How the Ransomware’s Attack Works

The Ransomware attack is simple and similar to countless other encryption ransomware Trojans. The Ransomware may arrive on the victim's computer through a corrupted email attachment. The Ransomware will encrypt the victim's files using its strong encryption algorithm and then drop a ransom note in the form of a text file. The Ransomware ransom note will contain information on how to pay the ransom by using some anonymous payment method and informing the victim of the attack. In the case of the Ransomware, computer users are instructed to send an email to the email address.

When the Ransomware enters a computer, it may be dropped as a file with the extension EXE, DLL, TMP, VBS, BAT or CMD. This file may be delivered to one of the following directories on the targeted computer:


The file containing the Ransomware may be named in a way that makes it seem as if it is a legitimate file belonging to the Windows operating system. Once the Ransomware has been installed, it makes changes to the Windows' settings that allow the Ransomware to run when Windows starts up automatically. To carry its attack, the Ransomware will search for the following file types on the victim's computer:


Whenever the Ransomware finds one of these types of files, it encrypts it using its strong encryption algorithm. Every time the Ransomware encrypts a file, it drops a text file containing its ransom message in that directory. The Ransomware also will change the encrypted file's extension to '.XBTL.'

Mitigating the Effects of a Ransomware Attack

Unfortunately, it may not be possible to decrypt the files that have been encrypted by the Ransomware without access to the decryption key. Because of this, it is a must-do to have backups of all files. That way, computer users can restore the files encrypted by the Ransomware from the backup location easily, making it unnecessary to pay the Ransomware's ransom demand.

SpyHunter Detects & Remove Ransomware

File System Details Ransomware may create the following file(s):
# File Name MD5 Detections
1. Payload33.exe 8fdf33752a626f8c40ca948d01225892 8
2. Payload1.exe 976d5f82cf82cd8079324f2f071b19d7 1


Most Viewed