Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware’s developers distribute it using email spam, and if you open a malicious attachment containing this malware, then all of your valuable files will become encrypted. However, you should remove this application instead of complying with the demands of the cyber criminals behind this infection that want to extract money from you. They “offer” you to purchase the decryption key, and, truth be told, it is your only chance of getting your files back because its encryption has yet to be broken. However, you should not trust the criminals to deliver you the key once you have paid and even if they do, there is no way of knowing whether it will work.

When you open the malicious email attachment containing this ransomware, its main executable is set to be placed in one of seven possible locations that include %WINDIR%\Syswow64, %WINDIR%\System32, and %ALLUSERSPROFILE%\Start Menu\Programs\Startup. In most cases, the name of the executable is completely random, but, nevertheless, on more rare occasions, the executable has “payload” in its name. Once on your PC it will run automatically and determine which files in which locations to encrypt. However, according to our analysis, this ransomware is set to encrypt most of the files on your PC, but it will skip some folders, particularly those that are vital to the running Windows. When it encrypts the files, it appends them with the .xtbl extension, but it will also add the email address and a unique 7-digit ID number. Ransomware uses the RSA cryptosystem with a 2048 bit key size. Note that this encryption is quite strong and breaking this encryption is next to impossible.

After completing the encryption process, Ransomware will drop a file named how to decrypt your files.jpg in C:\Users\{your user name} which is set as your desktop wallpaper. The image features text suggesting writing an email to to get your encrypted files back. Furthermore, it will create another file named Decryption instructions.txt that is placed on the desktop. It is a text file, and it reads “All of your files are encrypted, to decrypt them write me to email: In case of no answer in 24 hours, write to” Again, this file also suggests contacting to decrypt the files. However, you should know that its creators will want you to purchase a decryption key/program to get your files back, and it may not come cheap. Based on our experience with similar ransomware, we think that the payment could be anywhere between 2 (1,217 USD) and 4 Bitcoins (2,431 USD.) We stress that there is no guarantee that you will get the promised decryptor once you have paid the ransom because the criminals might not even bother giving it to you.

We have dealt with similar ransomware before, and we do not recommend complying with the demand to pay because the criminals might not hold their end of the bargain. Note that Ransomware is nearly identical to Ransomware, Ransomware, and Ransomware. However, that is not the complete list because there are dozens of clones that are still on the loose. As far as the distribution channels are concerned, we found that this program and its clones are distributed via malicious emails that contain zipped attachments that run a malicious script when opened and infect your computer silently.

In closing, Ransomware is one dangerous piece of programming that can cause much damage to your computer. Once it has encrypted your files, it is too late to do anything about it as you only have to choices that are to either pay the ransom and hope to decrypt your files or delete it entirely using an antimalware program such as SpyHunter or our manual removal guide provided below. We recommend choosing the second option because trusting cyber criminals is a bad idea.

Remove the files

  1. Hold down Windows+E keys.
  2. Enter the following addresses in the address bar.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find and delete the executable file.
  4. Enter C:\Users\{your user name} in the address box and delete C:\Users\user\how to decrypt your files.jpg
  5. Delete Decryption instructions.txt from the desktop.
  6. Close the window.

Delete the registry string

  1. Press Windows+R keys.
  2. Type regedit in the box and click OK.
  3. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find and delete the randomly named REG_SZ string with Value data of one of the file paths to the executable.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.