Following the emergence of the WannaCry ransomware attack campaign last week, another, possibly bigger outbreak raging predominantly across the Ukraine is underway. The culprit? A new ransomware called XData.
It was spotted over the weekend by security researcher MalwareHunter. MalwareHunter is one of the people behind the ID-Ransomware service that enables users to submit ransomware samples for analysis. XData was submitted via the service.
The infections with XData across Ukraine have been increasing so rapidly it has raised XData to the second most active ransomware strain, second to the ever dominant Cerber.
XData caught the attention of the team due to its rapid spread across Ukraine where, in one day, XData made four times as many victims when compared with the total for the entire week of WannaCry’s reign.
WannaCry has already infected hundreds of thousands of systems across the globe, but if you consider the current rate of XData infection in Ukraine, Russia and Germany, the global impact of XData would far outshine that of WannaCry.
Meet XData
TheXData ransomware was initially spotted in May 2017 and while its distribution method is currently unknown, these are the files and processes currently found on an infected host:
mssql.exe
msdns.exe
msdcom.exe
mscomrpc.exe
XData utilises AES encryption to encrypt files, to which it changes the extension to~xdata~.
For example, a file named photo.png becomes photo.png.~xdata~.
Once the encryption process is complete, the following ransom note appears:
Unfortunately, at this stage, there is no way to decrypt files locked by the XData ransomware. Researchers will continue to look into this latest outbreak.
We’ll keep you updated on any changes.