Important for Savepanda victims!
Files, encrypted by Savepanda could not be the only harm done to your computer. Savepanda may still be active on your machine and may spread to other computers on your network. To detect if you are still at risk and eliminate the threat, we recommend downloading SpyHunter.
Ransomware virus, that belongs to the CrySiS variants using the e-mail [email protected] and the .xtbl suffix as file extensions to the files it encodes had first been discovered in late August, 2016. Unlike other CrySiS variants, which are in the tens, this ransomware virus is more widespread and more dangerous. One reason for that is that it uses the AES (Advanced Encryption Standard) encryption algorithm to perform a modification on the files of the computer, infected by it. After this, those files become no longer able to be opened, primarily because they become altered. The virus wants to contact the questionable e-mail address for more information, where the cyber-criminals begin a negotiation to pay a hefty ransom fee and get the files back – a new form of online extortion. If you are infected by Savepanda ransomware, make sure to not pay any ransom to cyber-crooks because there is a decryptor for this virus.
Savepanda Ransomware in Detail
When the virus infects, it begins immediately to drop files in the system folders of the primary hard drive of the infected machine. The following folders may have been affected:
The ransomware virus is believed by users to create multiple files on the %Startup% folder as well. For those who do not know, anything dropped in this folder automatically runs on Windows startup. The files dropped in this folder by Savepanda virus may vary:
Malicious file that encrypts the data.
Text, .html files and others similar that may contain a ransom note with instructions to contact the e-mail for “customer support”.
Picture file that may be also set as a wallpaper.
Savepanda also has a wide support of file types it infects and alters. The virus is primarily focusing on encrypting, photos, archives, pictures, videos and audio files, but ESG malware researchers have discovered it to encrypt other types of files as well, such as:
The virus may also tamper with the shadow volume copies and the local backup of the Windows machine to delete any backups and further increase the chance of payment. This is usually done via the following command in Windows Command Prompt:
→vssadmin delete shadows /all /quiet
The Distribution Technique of Savepanda Ransomware
Similar to other XTBL ransomware viruses, the Savepanda ransomware may spread via a brute-forcing technique which gives hackers immediate access to the targeted computer.
Remove Savepanda from Your Computer and Decrypt .xtbl Files
Before begging any type of decryption process, it is strongly advisable to firstly remove the Savepanda ransomware fully from your computer. In order to remove it completely, be advised that you should use an anti-malware scanner for maximum effectiveness especially if you don’t have experience with manual removal of malware.
After doing this, we advise you download the decryptor for Savepanda ransomware to try and decode your files, but back up the files before trying to decode them because they may also break during the process: