XData ransomware starts wreaking havoc

Ransomware

The dust hasn’t even settled around WannaCry, another ransomware appears. This one was detected by ESET and identified as Win32/Filecoder.AESNI.C.

Security researchers dubbed it XData ransomware. It appears mostly in Ukraine (96 percent of cases). The outbreak seems to have started on May 17, reaching its peak on May 19.

ESET says that it has been tracking the malware since early December last year, when the version Win32/Filecoder.AESNI.A first appeared. Some decryption keys for this variant have been published on the BleepingComputer.com forum.

This ransomware seems to be going around through a Ukranian document automation system used in accounting. ESET says the infection ration is still low, which probably means infection requires "some kind of social engineering." It is still too early to tell, though.

After infecting a computer, the main files drops a legitimate system utility -- SysInternals PsExec -- and executes the ransomware sample (Win32/Filecoder.AESNI.C.).

The ransomware has the potential of infecting the entire network, ESET adds: "To do so, it uses the Mimikatz tool to extract admin credentials and then uses them to run copy of itself on all computers in the internal network."

Spreading admin and user accounts would prevent much of the damage, ESET says, as XData ransomware misuses admin passwords if run on accounts with admin privileges.

"Without admin privileges, XData is only able to infect one computer instead of the whole network."

To protect yourself, you need a security solution using multiple protection layers. Make sure you keep your OS up to date, and back up your files on a remote hard disk. And don’t forget not to download or open shady attachments!

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Photo Credit: Carlos Amarillo/Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.