Avast releases a new ransomware decryption tool for XData ransomware.
XData ransomware was discovered mid-May and now, two weeks later, we have released a free decryption tool for victims hit by XData ransomware that they can use to decrypt their data.
XData shares some similarities with the WannaCry ransomware that spread around the world. XData started spreading shortly after the WannaCry outbreak and has also been infecting machines by taking advantage the EternalBlue exploit.
The spreading of XData was definitely not as massive as WannaCry, but it still made an impact. As originally reported by the MalwareHunterTeam, it mainly targeted users in the Ukraine.
Here are stats of blocked XData attacks on our userbase:
Stats from 2017-05-18 to 2017-05-31
Taking a closer look at XData’s code, we found that it is almost identical to another recent ransomware strain called AES_NI, for which we also have a free decryption tool. This code similarity is not an accident. AES_NI’s code has been allegedly stolen from its authors by the operators of XData.
After infecting a machine, XData adds the ".~xdata~" extension to the encrypted files and drops the payment instructions in files named "HOW_CAN_I_DECRYPT_MY_FILES.txt".
Additionally, the ransomware creates a key file with a name similar to:
[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-#-20175267812-78.key.xdata in the following folders:
To further copy AES_NI’s authors, who released the decryption key last week, the criminals behind XData also released their decryption key yesterday.
A special thanks goes to my colleague Ladislav Zezula for preparing this decryptor.
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.
Security experts analyze the newest ransomware threat that is currently locking up systems around the world.