.xdata file extensions next to your files signal some serious trouble

The appearance of .xdata file extension causes havoc

Starting from the middle of May, thousands of people were turning on their computers just to find their files inaccessible and marked with unfamiliar .xdata extensions.

This havoc started soon after the major WannaCry virus outbreak, which paralyzed the work of numerous institutions worldwide and allowed the virus creators to accumulate a considerable fortune.[1] Naturally, the thought that their devices could have been targeted by this infamous parasite must have crossed people’s minds. Nevertheless, what really hit their computer was something quite different.

After examining the submitted samples, experts were quick to determine it was an entirely new ransomware string called XData. At one point, the malware was spreading so rapidly that it stood second in the list of the most active ransomware, outrun only by the absolute ransomware leader Cerber4 virus.[2]

Unlike WCry, XData was not aiming for a worldwide attack, but was specifically focusing on Ukraine. According to the statistics, 93% of all ransomware attack were reported from this particular country. It took a couple of weeks for the security researchers to comprehend and decode the virus. Avast team were the first ones to release XData decryptor. But parasite has not been defeated. It can still be found spreading on some insecure parts of the web.[3]

XData employs the same exploit as Wannacry

When XData sneaks into your system, you most likely won’t notice anything suspicious. Here, XData shares its practices with WannaCry and employs EternalBlue exploit for breaking into computers.[4] This infiltration technique ensures that the malware carries out all of its predetermined processes uninterrupted.

Only after it is done encrypting files with a military-grade algorithm, it will show itself to the victim. Apart from appending filenames with .xdata extensions, the virus will also drop a ransom note called HOW_CAN_I_DECRYPT_MY_FILES.txt on all affected computer folders. This is a document where the virus creators can supply victims with information about the attack and data recovery options.

In this case, the sum extortionists demand for the private decryption key is established individually, depending on the volume and significance of the encrypted files.

XData decrypter is already ready for use

Luckily, XData victims no longer need to unwillingly support cybercriminals just to get back access to their files. When infected with the ransomware, they can obtain the XData Decryptor from the official Avast download page. Ideally, though, it is best to prevent such attacks in the first place. You should update your software and operating system regularly as well as invest in a reliable antivirus suite.

Ugnius Kiguolis