{"id":53114,"date":"2016-10-17T05:00:35","date_gmt":"2016-10-17T12:00:35","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=53114"},"modified":"2025-06-04T02:16:50","modified_gmt":"2025-06-04T09:16:50","slug":"ransomware-variant-xtbl-another-example-of-popular-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/","title":{"rendered":"Ransomware Variant XTBL Another Example of Popular Malware"},"content":{"rendered":"<p>We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.<\/p>\n<p>A sample spam email may look like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-53133 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png\" alt=\"spam_xtbl\" width=\"589\" height=\"438\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spam_XTBL-300x223.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spam_XTBL.png 627w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/p>\n<h2>We analyzed XTBL and found it does the following:<\/h2>\n<ul>\n<li>Encrypts and deletes all user files including executables.<\/li>\n<li>Deletes all backup copies.<\/li>\n<li>Adds self-copies for rerunning.<\/li>\n<li>Demands ransom.<\/li>\n<\/ul>\n<h2>After its activity, XTBL sets wallpaper as below:<\/h2>\n<p><strong><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"wp-image-53135 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Screen_xtbl-300x156.png\" alt=\"screen_xtbl\" width=\"626\" height=\"326\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Screen_xtbl-300x156.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Screen_xtbl.png 624w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/strong><\/p>\n<p><strong>Analysis<\/strong><\/p>\n<p>In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53124 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/injected_XTBL-300x129.png\" alt=\"injected_xtbl\" width=\"660\" height=\"284\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/injected_XTBL-300x129.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/injected_XTBL.png 570w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:<\/p>\n<ul>\n<li>RSA key size (first\u00a04-byte group).<\/li>\n<li>RSA key followed by key size.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53131 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/RSA_XTBL-300x75.png\" alt=\"rsa_xtbl\" width=\"620\" height=\"155\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/RSA_XTBL-300x75.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/RSA_XTBL.png 642w\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/p>\n<ul>\n<li>RSA exponent:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53132 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/RSAExponent_XTBL-300x10.png\" alt=\"rsaexponent_xtbl\" width=\"630\" height=\"21\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/RSAExponent_XTBL-300x10.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/RSAExponent_XTBL.png 647w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/p>\n<ul>\n<li>Mail ID, where all information is sent:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53127 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/mailAddr_XTBL-300x18.png\" alt=\"mailaddr_xtbl\" width=\"633\" height=\"38\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/mailAddr_XTBL-300x18.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/mailAddr_XTBL.png 645w\" sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><\/p>\n<ul>\n<li>&#8220;Magic&#8221; number used:\n<ul>\n<li>006VGL (6 bytes). We have observed that each variant uses a different magic number though the\u00a0pattern remains same, for example, 00{number}[A-Z]{3}.<\/li>\n<\/ul>\n<\/li>\n<li>Name of mutex created:\n<ul>\n<li>Global\\snc_{filename}<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Path to exclude from encryption:\n<ul>\n<li>%windir%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Files to exclude from encryption:\n<ul>\n<li>Svchost.exe<\/li>\n<li>Explorer.exe<\/li>\n<li>Boot.ini<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Name of dropped components:\n<ul>\n<li>How to decrypt your files.txt.<\/li>\n<li>DECRYPT.jpg<\/li>\n<li>%desktop%\\Log.txt<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:\n<ul>\n<li>Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>It also sends 159 bytes of data to the host:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53130 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/postData_XTBL-300x53.png\" alt=\"postdata_xtbl\" width=\"635\" height=\"112\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/postData_XTBL-300x53.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/postData_XTBL.png 611w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>This data contains the victim\u2019s computer name, globally unique identifier, user ID, and magic number:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53121 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/DataSent_XTBL-300x146.png\" alt=\"datasent_xtbl\" width=\"626\" height=\"305\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/DataSent_XTBL-300x146.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/DataSent_XTBL.png 634w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/p>\n<p>This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:<\/p>\n<ul>\n<li>Traversing directory<\/li>\n<li>Renaming file<\/li>\n<li>File encryption<\/li>\n<li>Deleting original file<\/li>\n<\/ul>\n<p>This ransomware family uses the CreateFileW API in\u00a0nonshare mode as an antidebugging technique.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53119 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/CreateFile_XTBL-300x85.png\" alt=\"createfile_xtbl\" width=\"626\" height=\"177\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CreateFile_XTBL-300x85.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CreateFile_XTBL.png 624w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/p>\n<p>We found several steps for encrypting files.<\/p>\n<h2><strong>Key generation<\/strong><\/h2>\n<p>20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-53125 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/key_gen_XTBL-300x139.png\" alt=\"key_gen_xtbl\" width=\"640\" height=\"297\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/key_gen_XTBL-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/key_gen_XTBL.png 593w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>The key is generated:<\/p>\n<ul>\n<li>Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)<\/li>\n<li>Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)<\/li>\n<li>Dword_42C0AC = Dword_42C0A8 ^ rand ()<\/li>\n<li>Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0<\/li>\n<\/ul>\n<p>The key may look like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-53126 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Key_XTBL-300x17.png\" alt=\"key_xtbl\" width=\"635\" height=\"36\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Key_XTBL-300x17.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Key_XTBL.png 618w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53128 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Md5_XTBL-300x37.png\" alt=\"md5_xtbl\" width=\"640\" height=\"79\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Md5_XTBL-300x37.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Md5_XTBL.png 618w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.<\/p>\n<p>To summarize, key is generated using following\u00a0pseudocode:<\/p>\n<ul>\n<li>Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])<\/li>\n<li>Key = RC4(md5(Data),Data)<\/li>\n<\/ul>\n<p>The key is encrypted using an RSA key in the configuration information.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>File encryption<\/strong><\/h2>\n<p>Files are encrypted using the\u00a0<a href=\"https:\/\/github.com\/openssl\/openssl\/blob\/2f8e53d7944b3d659c8ae678163eb0f096a6d992\/crypto\/aes\/aes_core.c\">AES256 algorithm<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53116 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/AES_256_pseudo_XTBL-300x121.png\" alt=\"aes_256_pseudo_xtbl\" width=\"638\" height=\"257\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/AES_256_pseudo_XTBL-300x121.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/AES_256_pseudo_XTBL-768x309.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/AES_256_pseudo_XTBL.png 945w\" sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/p>\n<p>Original files will be deleted after encryption and encrypted files will be renamed as follows:<\/p>\n<ul>\n<li>Filename.ID{Id}.mail_address.XTBL<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53122 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Encrypted_File_XTBL-300x25.png\" alt=\"encrypted_file_xtbl\" width=\"660\" height=\"55\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_File_XTBL-300x25.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_File_XTBL.png 648w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>Each of the encrypted files is appended with data that\u00a0holds some important fields:<\/p>\n<ul>\n<li>Encrypted filename<\/li>\n<li>Magic number (6 bytes)<\/li>\n<li>Randomly generated initial vector for each file (10 bytes)<\/li>\n<li>Padding (10 bytes)<\/li>\n<li>RSA block (80 bytes)<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-53123 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Encrypted_footer_xtbl-300x87.png\" alt=\"encrypted_footer_xtbl\" width=\"634\" height=\"184\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_footer_xtbl-300x87.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_footer_xtbl.png 544w\" sizes=\"auto, (max-width: 634px) 100vw, 634px\" \/><\/p>\n<h2><strong>List of Domains<\/strong><\/h2>\n<ul>\n<li>bebgimeozel.com<\/li>\n<li>dd24.net<\/li>\n<li>rrpproxy.net<\/li>\n<li>key-systems.net<\/li>\n<li>tuginsaat.com<\/li>\n<\/ul>\n<h2><strong>How to prevent this infection<\/strong><\/h2>\n<p>We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.<\/p>\n<p>McAfee products detect these XTBL variants as Ransom-XTBL-FUL!&lt;partial-md5&gt;\u00a0and Ransom-XTBL-FUM!&lt;partial-md5&gt;.<\/p>\n<p><em>This post was prepared with the invaluable assistance of Rakesh Sharma\u00a0and G N Sivagnanam.<\/em><\/p>\n<h2><strong>Analyzed samples (SHA-1)<\/strong><\/h2>\n<ul>\n<li>E3AA4A3882FED182986A642F05B3711156CA5354: injected component<\/li>\n<li>A07A1660EBD71BFF4B640665208D2ADE51791E69: attachment<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180,4549],"coauthors":[3973],"class_list":["post-53114","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-10-17T12:00:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T09:16:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spam_XTBL.png\" \/>\n\t<meta property=\"og:image:width\" content=\"627\" \/>\n\t<meta property=\"og:image:height\" content=\"467\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Ransomware Variant XTBL Another Example of Popular Malware\",\"datePublished\":\"2016-10-17T12:00:35+00:00\",\"dateModified\":\"2025-06-04T09:16:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\"},\"wordCount\":658,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\",\"name\":\"Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png\",\"datePublished\":\"2016-10-17T12:00:35+00:00\",\"dateModified\":\"2025-06-04T09:16:50+00:00\",\"description\":\"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Ransomware Variant XTBL Another Example of Popular Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog","description":"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog","og_description":"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-10-17T12:00:35+00:00","article_modified_time":"2025-06-04T09:16:50+00:00","og_image":[{"width":627,"height":467,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/spam_XTBL.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Ransomware Variant XTBL Another Example of Popular Malware","datePublished":"2016-10-17T12:00:35+00:00","dateModified":"2025-06-04T09:16:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/"},"wordCount":658,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png","keywords":["computer security","cybercrime","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/","name":"Ransomware Variant XTBL Another Example of Popular Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png","datePublished":"2016-10-17T12:00:35+00:00","dateModified":"2025-06-04T09:16:50+00:00","description":"We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of\u00a0the\u00a0low-profile XTBL, a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/spam_XTBL-300x223.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ransomware-variant-xtbl-another-example-of-popular-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Ransomware Variant XTBL Another Example of Popular Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=53114"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53114\/revisions"}],"predecessor-version":[{"id":215081,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53114\/revisions\/215081"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=53114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=53114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=53114"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=53114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}