ランサムウェアウイルス, that belongs to the CrySiS variants using the e-mail [email protected] and the .xtbl suffix as file extensions to the files it encodes had first been discovered in late August, 2016. Unlike other CrySiS variants, which are in the tens, this ransomware virus is more widespread and more dangerous. One reason for that is that it uses the AES (Advanced Encryption Standard) encryption algorithm to perform a modification on the files of the computer, それに感染した. この後, those files become no longer able to be opened, primarily because they become altered. The virus wants to contact the questionable e-mail address for more information, where the cyber-criminals begin a negotiation to pay a hefty ransom fee and get the files back – a new form of online extortion. If you are infected by Savepanda ransomware, make sure to not pay any ransom to cyber-crooks because there is a decryptor for this virus.
Savepanda Ransomware in Detail
When the virus infects, it begins immediately to drop files in the system folders of the primary hard drive of the infected machine. The following folders may have been affected:
- %アプリデータ%
- %SystemDrive%
- %地元%
- %ローミング%
The ransomware virus is believed by users to create multiple files on the %Startup% folder as well. For those who do not know, anything dropped in this folder automatically runs on Windows startup. The files dropped in this folder by Savepanda virus may vary:
- Malicious file that encrypts the data.
- Text, .html files and others similar that may contain a ransom note with instructions to contact the e-mail for “customer support”.
- Picture file that may be also set as a wallpaper.
Savepanda also has a wide support of file types it infects and alters. The virus is primarily focusing on encrypting, 写真, アーカイブ, ピクチャー, videos and audio files, but ESG malware researchers have discovered it to encrypt other types of files as well, といった:
→ エピソード, .odm, .応答, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7と, .m4a, .rar, .wma, .gdb, .税金, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .君は, .和, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .ゴー, .場合, .svg, .地図, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .メニュー, .レイアウト, .dmp, .ブロブ, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .リム, .w3x, .fsh, .ntl, .arch00, .レベル, .snx, .cf., .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .バー, .upk, .インクルード, .私は、Wi, .litemod, .資産, .フォージ, .ltx, .できる, .apk, .re4, .sav, .lbf, .こんにちは, .ビック, .epk, .rgss3a, .その後, .大きい, 財布, .wotreplay, .xxx, .説明, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .ペム, .crt, .cer, .の, .x3f, .srw, .ペフ, .ptx, .r3d, .rw2, .rwl, .生, .raf, .orf, .nrw, .町, .mef, .erf, .kdc, .dcr, .cr2, .crw, .ベイ, .sr2, .srf, .arw, .3fr, .沿って, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .PST, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps. (ソース: ESG)
After the encryption hass been done, the virus has the ability to append it’s distinctive file extension, 例えば:
→New Text Document.txt.{UNIQUE ID}.{[email protected]}.{xtbl}
The virus may also tamper with the shadow volume copies and the local backup of the Windows machine to delete any backups and further increase the chance of payment. This is usually done via the following command in Windows Command Prompt:
→vssadmin delete shadows /all /quiet
The Distribution Technique of Savepanda Ransomware
Similar to other XTBL ransomware viruses, the Savepanda ransomware may spread via a brute-forcing technique which gives hackers immediate access to the targeted computer.
Other techniques may include the spreading of the malicious files or web links with malicious JavaScript via spammed messages on social media or web forums. さらに, e-mail spam messages, like a fake Invoice, receipt or letter from a bank may also be encountered. Users are advised by experts to take caution and pre-scan files with online services, like VirusTotal before opening them.
Remove Savepanda from Your Computer and Decrypt .xtbl Files
Before begging any type of decryption process, it is strongly advisable to firstly remove the Savepanda ransomware fully from your computer. In order to remove it completely, be advised that you should use an anti-malware scanner for maximum effectiveness especially if you don’t have experience with manual removal of malware.
After doing this, we advise you download the decryptor for Savepanda ransomware to try and decode your files, but back up the files before trying to decode them because they may also break during the process: