One of the top three ransomware threats has been discovered by Kaspersky with the encryption extension “.xtbl” and “.ytbl.” It is not at this time repairable.

Kaspersky researchers have named the threat Ransom.Win32.Shade. Other security firms have detected it as Trojan.Encoder.858 and Ranson:Win32/Troldesh.

The Trojan itself, which has mostly infected systems in Russia, Ukraine and Germany, hasn't really evolved but that “the format of the encrypted file's name, the C&C server addresses and the RSA keys have been changing.”




A victim visiting a compromised site—either one that belongs to cybercriminals or a site that has been hacked—is unwittingly infected.

Kaspersky explained that the victim typically has no clue that the site is compromised and “malicious code on the website exploits a vulnerability in the browser or a plugin, and the Trojan is then covertly installed in the system,” the post said. “Unlike the spam delivery method, the victim doesn't even have to run an executable file.”

Source: SCMagazine