YTBN Ransomware [.ytbn Files] – How to Remove & Decrypt?

YTBN is a new variant of ransomware that can be infected computer together with some pirated software.

Ytbn Ransomware

Ytbn virus is a very complicated and dangerous ransomware, that can harm your system as well as your data. It can be appropriately named as DJVU/STOP ransomware infection.

The technique that is utilized by the greater part of current ransomware is quite simple, and Ytbn (like the whole STOP/Djvu family) utilizes this pattern, too. It generates a duplicate of every file, encrypts that duplicate byte-by-byte, and afterward eliminates the original document, swapping it with the encrypted duplicate. The encryption algorithm is AES-256, that means that there are about 2^256 separate passkeys1 – it is difficult to decrypt with some basic techniques, like brute force. It would be best if you worked with decryption tools.

GridinSoft Anti-Malware
Editor's choice
GridinSoft Anti-Malware
Manual YTBN virus removal might be a very hard or even impossible process that requires very high skills and may carry a significant risk for your system. GridinSoft Anti-Malware is a professional antivirus tool that is recommended to get rid of ransomware and other viruses.
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for GridinSoft Anti-Malware. 6 days free trial available.

You will likely never miss the moment when Ytbn ransomware will start its action, especially if you store a lot of data on your hard drive. Weak computer owners will definitely spot the ransomware activeness much earlier. It needs a noticeable amount of RAM/CPU for the encryption process, so if you have a cheap laptop or deeply outdated computer with HDD as a storage device, your PC will go through significant productivity loss.

Besides possible productivity plummeted, you can see an escalating amount of files with .ytbn extension. These files are already ciphered, and you can’t open them using any program. All at once, together with the appearance of the encrypted file, readme.txt files can show up. In this file, you will see the information regarding getting in touch with the ransomware creators, getting the decryption key, and working with their own decryption app. The ransom sum generally fluctuates from $490 to $980, relying on the time going after the file encryption activity. The suggested transaction option is the payment in Bitcoin, and thanks to the large amounts of fraud among the internet exchanging systems, you may come to be the victim of one more team of cybercriminals.

.YTBN virus message
The scary alert demanding from users to pay the ransom to decrypt the compromised data contains these frustrating warnings

There are 2 kinds of keys that can be utilized by ransomware. Offline keys are used in the case when the encryption process is executed when your system is not connected to the web. Such a key is much easier to decrypt because there is a limited number of offline keys. As you can guess, the online key is utilized when your personal computer is online during the encryption procedure. Online keys are stored on the remote web server, which ransomware distributors handle. You can determine if your documents are encrypted by online or offline key executing the following easy actions. Search in the next path with file explorer “%System Root%\SystemID\PersonalID.txt”, then search for the entries in this document that ends on “t1”. If there are some, you are lucky, considering that virus can decrypt your data faster and with far less risk of failure.

Here is a details for the Ytbn:

Ransomware family2 DJVU/STOP3 ransomware
Extension .ytbn
Ransomware note _readme.txt
Ransom From $490 to $980 (in Bitcoins)
Contact [email protected], [email protected]
Symptoms Your files (photos, videos, documents) have a .ytbn extension and you can’t open it
Fix Tool See If Your System Has Been Affected by .ytbn file virus

As a result of some particular elements of encryption, you can still use a portion of your files. Ytbn ransomware encrypts only the initial 150KB of every file. Therefore, it is possible to open documents that are much bigger than 150KB – music, video, voice notes, etc. Such players as Winamp have the ability to start the encrypted files (but you require to take away the .ytbn extension primarily), with the only notable consequence – the first few seconds of the recording will definitely not be accessible because this part of the file is secured.

How was I infected?

Ransomware can be injected in many ways, but there are two methods that are the most popular nowadays.

Ransomware attack scheme
Ransomware injection scheme

As it was stated, ransomware representatives are not pretty inventive in dispersing methods. The lion’s share of .ytbn virus infiltrations is against email spamming. A victim gets an e-mail that looks similar to a message from the parcel post company, an invoice from the vehicle lending firm, et cetera. However, the sender’s address does not look acquainted: typically, it is a group of randomly-picked numbers and letters, like “[email protected]”. Corporations normally utilize addresses that represent their own names, so the use of such an unusual email address must raise suspicion. But, as the practical cases show, people generally do not inspect the email sender’s address, click on the links, or open the attached files with no doubt. Ytbn ransomware is concealed in this attachment or in the file, which will be downloaded after following the web link.

The second (by success) manner of ransomware distribution is trojan viruses. In the last several years, trojans turned into all-in-one viruses: one malware may be composed of spyware, backdoor, keylogger, and downloader; the last one is used to recover the viruses the user deletes them and to download new and new malware. Ransomware can be featured in original trojan packaging or downloaded later by malware downloader. It is quite tough to predict when the ransomware will show itself.

Do not pay for Ytbn!

Please, try to use the available backups, or the tools offered below

There is completely no warranty that .ytbn malware distributors will send you the decryption key, especially if you had an extensive dialogue with them through the e-mail. Their decryption tool can additionally be the origin of extra malware. Finally, even when they send you the decryption key, only ransomware distributors know if it can decrypt your documents. And they do not deserve your trust.

The main reason that paying the ransom is a bad suggestion is that the cash you sent as a ransom can be utilized for funding worrying outlaw activities. Cybercrimes commonly fund drug dealing/making, human trafficking, murder – all these crimes and ransomware attacks are among them. Needless to say, there is still a large number of attacks that are commenced just for earning revenue. Nonetheless, you never know who you are actually going to pay off the ransom.

Several additional words regarding the conversation with Ytbn ransomware representatives. There were many situations when last were collecting the email addresses of their targets and then offering this collection to the third party. The third-party might be whoever, perhaps even various other malware developers. And it is quite an undesirable effect to get your email spammed, specifically after the stress made by ransomware. There is totally no warranty that you will not press on one of these attachments, again, so the bad story can repeat.

As you can see, there are many factors that make paying the ransom quite a doubtful procedure. It is far more secure and economical to use anti-malware software to clean off the .ytbn virus out of your computer and decryption or file recovery programs to acquire your files back. You will see the guidelines for its removal right below.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organizations that paid the ransom is almost $1.4m, while for those who didn’t give into ransom demands, the average cost is half of that, coming in at $732,000.4

How to delete Ytbn virus?

Besides ransomware, your computer is likely infected with other malware. GridinSoft Anti-Malware is easy-to-use and efficient tool5 that can surely wipe all malware out of your PC, and create a perfect shield that will protect your computer from further malware injections.

To get rid of YTBN malware from your computer, it is highly recommended to utilize an antivirus tool. Manual removal is likely impossible because it creates many additional registry keys and has a branchy file location method. Cleaning this up by hand may cause system failure or, possibly, partial malware clearing, so the Ytbn virus will have the chance to revive itself. However, maybe problematic even with anti-malware tools.

Microsoft Defender, which seems like an obvious option, is certainly capable of ransomware clearing, However, in the majority of incidents, Ytbn ransomware itself, or with the help of trojan virus that is utilized to insert the ransomware, disables the Defender through the Group Policies and Windows registry editing. Thus, it is much better to use a separate security tool that doesn’t come with such vulnerabilities. I advise you to use GridinSoft Anti-Malware – a user-friendly and efficient tool that will definitely help you with ransomware elimination.

  1. Install GridinSoft Anti-Malware
  2. GridinSoft Anti-Malware installation stage 1
  3. After the app is installed, you will be offered to make a standard scan. Allow this action.
  4. GridinSoft Anti-Malware during the scan process
  5. During the scan process, you can see the detected malware, but to perform any actions against these viruses, you need to wait until the scan is over.
  6. GridinSoft Anti-Malware post-scan window
  7. Scan is finished, malware is detected. Click “Clean Now” to wipe the malware out, including Ytbn ransomware. In less than 30 seconds your PC will be cleaned up.

How to decrypt the .ytbn files?

Emsisoft Decryptor for STOP Djvu is created specially for decrypting the files, which were ciphered by Ytbn ransomware

After the ransomware is eliminated, you can begin the file revival. It is suggested to create a separated system back-up. If something wrong takes place in the process of data revival, you will be free, to begin with, the point before the recovery operation. To do the decryption and revival, we need to use Emsisoft Decryptor for STOP Djvu and PhotoRec; both of them are cost-free.

Using Emsisoft Decryptor for STOP Djvu

  1. Download and install Emsisoft Decryptor
  2. Emsisoft Decryptor installation window
  3. After the successful setup, you will see the window where you can specify the folders where the encrypted documents are kept.
  4. Emsisoft Decryptor interface
  5. When the decryption operation is done, the program will notify you.

Use PhotoRec app to recover the original files from the disk

Ransomware encryption method allows the use of file recovery tools for getting your files back. Below, you can see the detailed instructions of this operation.

Ytbn ransomware encryption mechanism feature is following: it encrypts every file byte-by-byte, and then writes a document duplicate , removing (and not overriding!) the initial data. As a result, the data location’s info on the physical drive is lost, but the original data is not erased from the physical storage. The cell, or the cluster where this data was stored, can still contain this file. However, it is not shown by the file system and can be overwritten by the information that has been packed into this disk after the removal. For this reason, it is possible to recover your files by making use of special software.

PhotoRec is an open-source app that is initially designed for file recovery from destroyed disks or for file recovery in case if they are deleted by accident. Nevertheless, as time has passed, this program can recover the data of 400 various extensions. Therefore, it can be utilized for data retrieval after the ransomware attack.

Initially, you need to download this application. It is 100% free. However, the programmer states that there is no certainty that your data will be regained. PhotoRec is spread in a pack with another tool of the same programmer – TestDisk. The downloaded archive will have the TestDisk title, however, do not panic. PhotoRec files are right within.

To open PhotoRec, you need to find and open “qphotorec_win.exe” file. No installation is required – this program has all the files it needs inside of the archive. Hence, you can fit it on your USB drive and try to help your friend/parents/anyone who has been attacked by DJVU/STOP ransomware.

PhotoRec root directory

After the launch, you will see the screen showing you the full list of your disk spaces. However, this information is likely useless because the required menu is placed a bit higher. Click this bar, then choose the disk which was attacked by ransomware.

PhotoRec main screen

After choosing the disk, you need to choose the destination folder for the recovered files. This menu is located at the lower part of the PhotoRec window. The best decision is to export them on a USB drive or any other type of removable disk.

Choose the destination folder in PhotoRec

Then, you need to specify the file formats. This option is located at the bottom, too. As it was mentioned, PhotoRec can recover files of about 400 different formats.

File formats in PhotoRec

Finally, you can start files recovery by pressing the “Search” button. You will see the screen where the results of the scan and recovery are shown.

PhotoRec during the file recovery

  1. About AES-256 encryption on Wikipedia
  2. My files are encrypted by ransomware, what should I do now?
  3. About DJVU (STOP) Ransomware.
  4. ZDNet article about ransom payments
  5. Reasons why I recommend GridinSoft Anti-Malware

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button