Avast releases a new ransomware decryption tool for XData ransomware.
XData ransomware was discovered mid-May and now, two weeks later, we have released a free decryption tool for victims hit by XData ransomware that they can use to decrypt their data.
XData shares some similarities with the WannaCry ransomware that spread around the world. XData started spreading shortly after the WannaCry outbreak and has also been infecting machines by taking advantage the EternalBlue exploit.
The spreading of XData was definitely not as massive as WannaCry, but it still made an impact. As originally reported by the MalwareHunterTeam, it mainly targeted users in the Ukraine.
Here are stats of blocked XData attacks on our userbase:
Stats from 2017-05-18 to 2017-05-31
Taking a closer look at XData’s code, we found that it is almost identical to another recent ransomware strain called AES_NI, for which we also have a free decryption tool. This code similarity is not an accident. AES_NI’s code has been allegedly stolen from its authors by the operators of XData.
After infecting a machine, XData adds the ".~xdata~" extension to the encrypted files and drops the payment instructions in files named "HOW_CAN_I_DECRYPT_MY_FILES.txt".
Additionally, the ransomware creates a key file with a name similar to:
[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-#-20175267812-78.key.xdata in the following folders:
To further copy AES_NI’s authors, who released the decryption key last week, the criminals behind XData also released their decryption key yesterday.
A special thanks goes to my colleague Ladislav Zezula for preparing this decryptor.
Avast now offers ransomware victims 20 free decryption tools to help them get their files back.
PC gamers don’t want online threats, but also don’t want slowdowns or distractions. I gave Avast 2017 a test-drive to see if Game Mode delivers.