The Xdata Ransomware is a brand new file-encryption Trojan that, unfortunately, has already managed to strike tens of victims across the globe. The XData Ransomware’s attack involves the full encryption of the majority of the files stored on the victim’s machine, therefore making it impossible for the victims to access their important documents, images, audio files, databases, archives, and other files that are likely to contain important information. After the encryption of the victim’s data is complete, the XData Ransomware will proceed to provide a ransom message telling users how they can get their data back. Unfortunately, this is not free, and even if the users follow the instructions there, there’s no guarantee that they’ll get their files back in the end. According to the XData Ransomware’s message, victims must contact one of the e-mail addresses seen in the message immediately by sending the file ‘[VICTIM ID].key.~xdata~,’ which may be stored in several system folders. However, users who complete this step will not get decryption instructions in return. Instead, they might be asked to pay a hefty ransom fee that may be well above 1 BTC.
‘Your important files were encrypted on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with ‘.key.~xdata~’ extension.
Depending on your operation system version and personal settings, you can find it in:
‘C:/’,
‘C:/ProgramData’,
‘C:/Documents and settings/All Users/Application Data’,
‘Your Desktop’
folders (eg. ‘C:/PC-TTT54M#45CD.key.~xdata~’).
Then send it to one of following email addresses:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Your ID: ******
Do not worry if you did not find key file, anyway contact for support.’
The exact attack vector that the XData Ransomware is using is unknown currently, but crypto-threat authors rely on similar propagation methods usually – spam e-mails, fake downloads, corrupted macro-laced documents and exploit kits. In recent days we also have heard of the EternalBlue exploit part of the NSA hacking toolkit, but it is unlikely that the XData Ransomware relies on this to spread.
Victims of the XData Ransomware might be able to recognize the source of the attack by looking at the names of the files they’ve lost. When the XData Ransomware carries out its attack, it will append the ‘.~xdata~’ extension to the end of the name of all locked files (e.g. ‘photo.png’ will be renamed to ‘photo.png.~xdata~’). The message the XData Ransomware brings is stored in a text file with the name ‘HOW_CAN_I_DECRYPT_MY_FILES.txt.’ The instructions include five e-mails that can be used to contact the attackers – [email protected], [email protected], [email protected], [email protected], [email protected] and [email protected].
Sadly, the XData Ransomware appears to use a very reliable encryption routine, and a free decryptor is not available at the moment. While this is worrying news, we don’t advise victims of the XData Ransomware to consider paying money to the perpetrators of the attack. Even if their demands are fulfilled, there’s no guarantee that paying victims will receive decryption instructions. The best thing to do if you are a victim of the XData Ransomware is to run an anti-malware program to eliminate the threatening software.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]
