XData ransomware infection heatmap

A new ransomware strain named XData has wreaked havoc in Ukraine in the last 24 hours, locking computers for hundreds of users.

First to spot this new strain was Malwarebytes security researcher Emphyrio, but it was a security researcher that goes by the name of MalwareHunter that sounded the alarm earlier today.

MalwareHunter, who is one of the people behind the ID-Ransomware service, told Bleeping Computer that XData made today four times more victims inside Ukraine compared to the total for the whole week of the more virulent and self-spreading WannaCry ransomware. XData's numbers are remarkable if we take into account that Ukraine was the fifth most affected country in terms of WannaCry infections.

Furthermore, based on the same ID-Ransomware data, XData was the second most active ransomware family today, just behind Cerber, the undisputed leader of the ransomware world.

XData statistics for May 19, 2017

According to MalwareHunter, 95% of these victims were users from Ukraine, but XData also made victims in Russia, Germany, and Estonia.

The distribution method for this XData campaign is currently unknown. What we know is the names of the files and processes the ransomware spawns on an infected host, which may indirectly reveal some clues about its distribution vector.

mssql.exe
msdns.exe
msdcom.exe
mscomrpc.exe

XData uses the AES encryption algorithm to encrypt files, to which it appends the extension .~xdata~, so a file named image.png becomes image.png.~xdata~.

Files encrypted by the XData ransomware

Besides local files, XData will also encrypt unmapped network shares. Once the encryption process ends, the ransomware drops a ransom note on the user's PC named HOW_CAN_I_DECRYPT_MY_FILES.txt.

XData ransom note

Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.
 
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
 
To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.
Depending on your operation system version and personal settings, you can find it in:
'C:/',
'C:/ProgramData',
'C:/Documents and Settings/All Users/Application Data',
'Your Desktop'
folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').
 
Then send it to one of following email addresses:
 
begins@colocasia.org
bilbo@colocasia.org
frodo@colocasia.org
trevor@thwonderfulday.com
bob@thwonderfulday.com
bil@thwonderfulday.com
 
Your ID: [PC-NAME]#[VICTIM_ID]
 
Do not worry if you did not find key file, anyway contact for support.

Currently, there is no way to decrypt files locked by the XData ransomware without paying the ransom. As researchers continue to look into this threat, we'll update you on any new developments.

IOCs:

92ad1b7965d65bfef751cf6e4e8ad4837699165626e25131409d4134f031a497
d174f0c6ded55eb315320750aaa3152fc241acbfaef662bf691ffd0080327ab9

Image credits: MalwareHunter