All Products
Document Center

Recover from ransomware attacks

Last Updated: May 07, 2018

A ransomware is a malware (a Trojan or another type of virus) that locks your device or encrypts your files, and then tells you that you have to pay ransom to get your data back. The ransom is not cheap, and there’s no guarantee of success. If a file in your system is encrypted or the desktop displays an extortion message, it indicates that the system has been infected with ransomware. Currently known ransomwares are mostly spread by email.

This article provides solutions for ransomwares to help you recover from ransomware attacks.

Do not pay ransom

If your business is unfortunately infected, we recommend that you do not pay the ransom to the extortioners, expecting them to recover your data.

Recover your data

The most effective way to fix the encrypted files is to restore a previous data backup. If you do not have additional data backup, you can use tools released by security vendors to decrypt the data.

Note: Because ransomware variants may appear in a short period of time, data recovery does not always guarantee success.

Ransomware decryptors

Most ransomware viruses were cracked by Kaspersky Labs, a security vendor. You can find a ransomware decryptor from following pages:

XTBL and Wallet ransomwares

XTBL and Wallet are two common ransomwares. The specific information is as follows.

  • Virus name: XTBL (decryptable), Wallet (not decryptable yet)
  • Virus type: Ransomwares virus
  • Purpose: Hackers are interest-driven and do not accept cash. They request Bitcoin for the extortion deal.
  • Method: Hackers encrypt hundreds of file type suffixes or applications, and change the original suffix of the file name to: or
  • Hazard level: High risk
  • Means of intrusion: Remotely control protocol vulnerability (RDP weak password) and disclose the password. Hackers may also use any other means to upgrade the method of intrusion.
  • Virus characteristics: All the encrypted files contain the hacker’s contact information.

    • Samples of XTBL infected files:


    • Samples of WALLET infected files:


  • Decryption: XTBL Decryptor

Safety standard for data recovery

  • We recommend that you redeploy or roll back the system with a previous snapshot of the normal state, and perform security hardening for the operating system and application code.

  • Modify the accounts and passwords of all the management ports and configure strong passwords. We recommend that you use security group policies to limit access. Do not open the management port and management backend to the Internet, and only open necessary business ports.

  • Configure regular snapshot policies for ECS immediately after the recovery is complete, and back up data to a remote location.

  • Perform a complete security check on your business and fix any vulnerabilities found right away.

Data security measures

  • Back up important documents.

    • The best backup practice is to follow the “3-2-1 rule”, namely, save data to at least three copies, in two different formats, and in one remote storage location.
    • If conditions permit, we recommend that you make full backups. If the amount of data is too large, you can choose to perform real-time full and incremental backups from time to time.
    • We recommended that you use the Alibaba Cloud snapshot and OSS remote backup solutions.
  • If you need remote management, you can use ECS security group or firewall to limit connected remote clients. Do not open the host to the Internet.

  • Install enterprise-level anti-virus software. We recommend that you use Symantec and Kaspersky commercial anti-virus software. For Linux servers, you can use Clam.

  • Install the latest versions of security patches. Outdated operating systems or software are prone to ransomware targets. So regularly updating your software and operation systems can strengthen your computer’s security.

  • Malwares often target the Remote Desktop Protocol (RDP). Disable RDP when you do not need remote connections to effectively block attacks from malware.

    • Configure a strong password policy.
    • Modify the account and password for remote control and properly manage your passwords.
    • Regularly update the administrator account name and password policies.
  • Improve safety awareness and implement data security measures.

For more information, see Protect yourself from ransomware attacks.