Threat Database Ransomware XData Ransomware

XData Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: May 21, 2017
OS(es) Affected: Windows

In the aftermath of the WannaCry ransomware infection, PC security researchers have received reports of a new widespread attack involving the XData Ransomware, a similar ransomware Trojan that is being used to carry out numerous ransomware attacks in Ukraine currently. Hundreds of computers were infected in Ukraine within the span of only 24 hours on May 19, 2017. The XData Ransomware carries out a typical ransomware attack, encrypting the victims' files to demand the payment of a ransom from the victim. It is crucial to take steps to protect computers from ransomware Trojans like this one, especially as the XData Ransomware attacks start spreading beyond the Ukraine's borders. More than 90% of all victims of the XData Ransomware are active in Ukraine currently, but new victims have started appearing in the Baltic region, Germany and Russia.

The XData Ransomware is Among the Most Active Threats Currently

The XData Ransomware attack is on a rampage in Ukraine currently, claiming four times more victims in this country than the total reported for an entire week for the WannaCry Ransomware, which has the capacity to spread on its own. Ukraine was ranked fifth in the list of countries most affected by the WannaCry outbreak. Currently, the XData Ransomware is the second most active ransomware Trojan according to current daily statistics, only behind the Cerber ransomware family, that is clearly the most widespread ransomware variant.

Currently it is not known how the XData Ransomware is spreading to victims. The following file processes have been associated with the XData Ransomware attack, which may help PC security researchers identify the XData Ransomware variants or threats related to this ransomware family:

  • mssql.exe
  • msdns.exe
  • msdcom.exe
  • mscomrpc.exe

How the XData Ransomware Carries out Its Attack

The XData Ransomware uses the AES encryption to make the victims' files unusable. This is a strategy typical of most ransomware Trojans. The files affected in the XData Ransomware attack will have the file extension '.~xdata~' included at the end of each file's name, making it simple to know which files have been compromised at any given time in the XData Ransomware attack. The XData Ransomware will encrypt the files contained on network drives and external memory devices connected to the infected computer, as well as the files contained on the victim's main drives. After encrypting victims' files, the XData Ransomware will drop its ransom note on the victim's computer in the form of a text file named 'HOW_CAN_I_DECRYPT_MY_FILES.txt.' Below is the full text of the ransom note displayed in the XData Ransomware attack:

'Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.
Depending on your operation system version and personal settings, you can find it in:
'C:/Documents and Settings/All Users/Application Data',
'Your Desktop'
folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').
Then send it to one of following email addresses:
Do not worry if you did not find key file, anyway contact for support.'

Dealing with the XData Ransomware

Unfortunately, as soon as the files have been encrypted in the XData Ransomware attack, it becomes impossible to restore the files without paying the ransom. Because of this, it is imperative that computer users take steps to back up all files on an external memory device or the cloud. Having a trustworthy backup system can make you invulnerable to the XData Ransomware and other ransomware attacks completely. This is because the ability to restore files from a backup removes any leverage the extortionists have that allows them to demand a ransom payment. Apart from file backups, PC security researchers recommend the use of a reliable, fully updated anti-malware application.

SpyHunter Detects & Remove XData Ransomware

File System Details

XData Ransomware may create the following file(s):
# File Name MD5 Detections
1. mssql.exe a0a7022caa8bd8761d6722fe3172c0af 2
2. file.exe c6a2fb56239614924e2ab3341b1fbba5 0

Related Posts


Most Viewed