XData targets Windows OS and its distribution method is currently unknown. Once a system is infected, XData scans for files on local drives and unmapped network shares. It uses the AES encryption algorithm, appends .~xdata~ to the names of encrypted files, and drops a ransom note named HOW_CAN_I_DECRYPT_MY_FILES.txt. Other files that XData creates on infected systems include: mssql.exe, msdns.exe, msdcom.exe, and mscomrpc.exe. Email addresses associated with this campaign include: begins@colocasia.org, bilbo@colocasia.org, frodo@colocasia.org, trevor@thwonderfulday.com, bob@thwonderfulday.com, bil@thwonderfulday.com.

XData was discovered on May 19, 2017 by malware researchers who expressed concern that this campaign could be a successor to WannaCry as it quickly impacted hundreds of computers across Ukraine and began infecting victims in Russia, Germany, and Estonia.

This profile will be updated as more information becomes available and the NJCCIC will send out an alert to members should the XData ransomware campaign begin to pose a threat to New Jersey and the United States.

  • Bleeping Computer provides more information about XData here.
  • Avast provides a free decryption tool for XData, available here.

Media Reporting:

  • In WannaCry's Wake, a New Rapidly Spreading Ransomware Attack Appeared Today (Gizmodo)
  • Another Ransomware Nightmare Could Be Brewing In Ukraine (Wired)


Image Source: Bleeping Computer