XData ransomware By Will Wisser Posted on May 19, 2017 1 min read 0 9,000 New ransomware called XData is rapidly making the rounds, so take precautions to avoid it and learn how to decrypt .~xdata~ files if the attack has occurred. Security analysts are accustomed to recurrent ransomware outbreaks, but few crypto infections spread like wildfire. The aggressive strain dubbed XData, which surfaced on May 18, 2017, has managed to make hundreds of victims in less than one day, only giving in to the prolific Cerber ransomware in terms of gross prevalence. Its propagation was originally isolated to Ukraine, but this geographic restriction might well be a test run preceding a global cyber epidemic. The indicators of compromise include the .~xdata~ or .xdata extension appended to victims’ filenames, as well as a plaintext ransom note named HOW_CAN_I_DECRYPT_MY_FILES.txt. The latter is dropped into every folder with enciphered files, and a copy will also appear on the desktop to make sure the plagued user won’t overlook it. HOW_CAN_ID_DECRYPT_MY_FILES.txt ransom note by XData virus The how-to document provided by XData ransomware conveys the following warning message, “Your important files were encrypted on this computer: documents, databases, photos, videos, etc. Encryption was produced using unique public key for this computer. To decrypt files, you need to obtain private key and special tool.” In a nutshell, the recovery routine boils down to finding what’s called the “key PC file”, which has the .key.~xdata~ extension, and then sending it to one of the email addresses indicated in the attackers’ manual (email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org). According to the note, this victim-specific file token may be located in ProgramData, Application Data, or Desktop directories. Files ransomed by XData and decryption how-to in the same folder The XData virus uses AES symmetric cipher to prevent infected users from accessing their valuable information. What it means is that recovery is pretty much a no-go without a secret chunk of data referred to as the decryption key. The problem is, the attackers are the only ones who have it, so they drag victims into an uncomforting covenant: redeem the unique key and decryption tool for a specified amount of cryptocurrency. The size of the ransom tends to range from 0.1 to 1 BTC, depending on the volume of hostage data and whether it’s a single PC or a business network that got compromised. The threat actors specify this sum and provide the Bitcoin wallet address in an email response, that is, after the infected user sends them the .key.~xdata~ file. XData is distributed via a classic ransomware delivery technique. Its malevolent payload is masqueraded as a benign-looking document attached to spam. The subjects of these rogue emails may be anything from invoices and job offers to missed delivery reports. Once an unsuspecting recipient opens one of these files, the infection chain starts behind their back. The rest of the attack is a matter of seconds. Having scanned the hard disk and network drives for personal data and applied the AES cryptosystem, the Trojan concatenates the .xdata or .~xdata~ suffix to all of these entries. It doesn’t scramble the original filenames along the way, so a sample spreadsheet called Schedule.xlsx will most likely morph into Schedule.xlsx.~xdata~. A big hurdle to file recovery in the XData attack scenario is that the ransomware implements the cipher professionally and doesn’t store the unlock key anywhere on the target computer. Meanwhile, the plague keeps running rampant in Ukraine, and the security community has yet to see where this campaign will be heading further. One way or another, the best way to defang the XData virus is to follow safe online practices, exercise a great deal of caution with incoming malspam, and have a plan B that revolves around file backups.