Avast releases a new ransomware decryption tool for XData ransomware.
XData ransomware was discovered mid-May and now, two weeks later, we have released a free decryption tool for victims hit by XData ransomware that they can use to decrypt their data.
XData shares some similarities with the WannaCry ransomware that spread around the world. XData started spreading shortly after the WannaCry outbreak and has also been infecting machines by taking advantage the EternalBlue exploit.
The spreading of XData was definitely not as massive as WannaCry, but it still made an impact. As originally reported by the MalwareHunterTeam, it mainly targeted users in the Ukraine.
Here are stats of blocked XData attacks on our userbase:
Stats from 2017-05-18 to 2017-05-31
Taking a closer look at XData’s code, we found that it is almost identical to another recent ransomware strain called AES_NI, for which we also have a free decryption tool. This code similarity is not an accident. AES_NI’s code has been allegedly stolen from its authors by the operators of XData.
After infecting a machine, XData adds the ".~xdata~" extension to the encrypted files and drops the payment instructions in files named "HOW_CAN_I_DECRYPT_MY_FILES.txt".
Additionally, the ransomware creates a key file with a name similar to:
[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-#-20175267812-78.key.xdata in the following folders:
To further copy AES_NI’s authors, who released the decryption key last week, the criminals behind XData also released their decryption key yesterday.
A special thanks goes to my colleague Ladislav Zezula for preparing this decryptor.
Three tips to start your new year with a faster, cleaner computer.
This simple New Year’s resolution could save you hours—even months—of complication and heartache next year and beyond.