Fix .XTBL Files Encrypted by Savepanda Ransomware


Important for Savepanda victims!

Files, encrypted by Savepanda could not be the only harm done to your computer. Savepanda may still be active on your machine and may spread to other computers on your network. To detect if you are still at risk and eliminate the threat, we recommend downloading SpyHunter.

Download SpyHunter 5

Further information on SpyHunter and uninstall guide. Before proceeding, please see SpyHunter’s EULA and Threat Assessment Criteria. The Privacy Policy of SpyHunter can be found on the following link. Bear in mind that SpyHunter scanner is completely free. If the software detects a virus, you can also remove it with a delayed removal or by purchasing SpyHunter’s full version. Also, keep in mind that SpyHunter cannot restore your files and is simply an advanced malware removal software.

Ransomware virus, that belongs to the CrySiS variants using the e-mail [email protected] and the .xtbl suffix as file extensions to the files it encodes had first been discovered in late August, 2016. Unlike other CrySiS variants, which are in the tens, this ransomware virus is more widespread and more dangerous. One reason for that is that it uses the AES (Advanced Encryption Standard) encryption algorithm to perform a modification on the files of the computer, infected by it. After this, those files become no longer able to be opened, primarily because they become altered. The virus wants to contact the questionable e-mail address for more information, where the cyber-criminals begin a negotiation to pay a hefty ransom fee and get the files back – a new form of online extortion. If you are infected by Savepanda ransomware, make sure to not pay any ransom to cyber-crooks because there is a decryptor for this virus.

Savepanda Ransomware in Detail

When the virus infects, it begins immediately to drop files in the system folders of the primary hard drive of the infected machine. The following folders may have been affected:

  • %AppData%
  • %SystemDrive%
  • %Local%
  • %Roaming%

The ransomware virus is believed by users to create multiple files on the %Startup% folder as well. For those who do not know, anything dropped in this folder automatically runs on Windows startup. The files dropped in this folder by Savepanda virus may vary:

  • Malicious file that encrypts the data.
  • Text, .html files and others similar that may contain a ransom note with instructions to contact the e-mail for “customer support”.
  • Picture file that may be also set as a wallpaper.

Savepanda also has a wide support of file types it infects and alters. The virus is primarily focusing on encrypting, photos, archives, pictures, videos and audio files, but ESG malware researchers have discovered it to encrypt other types of files as well, such as:

→ odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps. (Source: ESG)

After the encryption hass been done, the virus has the ability to append it’s distinctive file extension, for example:

New Text Document.txt.{UNIQUE ID}.{[email protected]}.{xtbl}

The virus may also tamper with the shadow volume copies and the local backup of the Windows machine to delete any backups and further increase the chance of payment. This is usually done via the following command in Windows Command Prompt:

vssadmin delete shadows /all /quiet

The Distribution Technique of Savepanda Ransomware

Similar to other XTBL ransomware viruses, the Savepanda ransomware may spread via a brute-forcing technique which gives hackers immediate access to the targeted computer.

Other techniques may include the spreading of the malicious files or web links with malicious JavaScript via spammed messages on social media or web forums. Furthermore, e-mail spam messages, like a fake Invoice, receipt or letter from a bank may also be encountered. Users are advised by experts to take caution and pre-scan files with online services, like VirusTotal before opening them.

Remove Savepanda from Your Computer and Decrypt .xtbl Files

Before begging any type of decryption process, it is strongly advisable to firstly remove the Savepanda ransomware fully from your computer. In order to remove it completely, be advised that you should use an anti-malware scanner for maximum effectiveness especially if you don’t have experience with manual removal of malware.

The free version of SpyHunter will only scan your computer to detect any possible threats. To remove them permanently from your computer, purchase its full version. Spy Hunter malware removal tool additional information/SpyHunter Uninstall Instructions

After doing this, we advise you download the decryptor for Savepanda ransomware to try and decode your files, but back up the files before trying to decode them because they may also break during the process:


Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.