XData ransomware virus was detected yesterday, on 18th of May. XData is a ransomware, opting to function as a File Encoder. According to the analysis of the msdcom.exe payload, this specific ransomware sample could be distributed with Heur Trojan since many security tools indicated its potential presence. Encryption process that this infection inflicts on digital files is specified to be carried out with AES algorithm. Researchers appear to have received reports from a few dozens of users, explaining that their files were modified to contain .xdata extension.
Characteristics of this ransomware
In the ransom note, victims are instructed to find PC key file which should feature “.key.~data~” extension. It is indicated to be placed somewhere in the C: disc, depending on the operating system. Individual victims will be regarded differently as unique ID numbers are given out. There is enough evidence from infections that came before this to suggest that amounts of ransom will differ. Fee might be set according to the number of encrypted documents, photos, video material and other types of digital files.
After that, encoded data is no longer available for usage as users will not be able to launch them. It has become a prevailing trait for creators of ransomware to not indicate the exact ransom in .txt files, but to provide this info via email transactions. Several email accounts are left in the HOW_CAN_I_DECRYPT_MY_FILES.txt file: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com.
The payload of XData infection has been explicitly noted to be the msdcom.exe file. Security researchers indicate that this is an unsolicited process and if it is running in your Task Manager, you should realize its uselessness. Previously, this potentially harmful procedure was included into operating systems by a W32/SDBOT Worm. Now, this file was selected to extract additional executables and begin the main process: file-encryption. It will also cover other procedures, like making additional entries in Windows Registry Keys and connecting to C&C servers.
Do not waste your time by contacting hackers via indicated email addresses. Crooks will simply elaborate on the exact ransom and to which bitcoin wallet it should end up in. Even if you abide by the rules and send them the required fee, you should not feel confident about getting your files back.
Ransomware authors have a tendency to vanish after their accounts are filled with bitcoins. This will mean that you frittered away your money. Since there are no time-limitations for paying the ransom, you have all of the time in the world to decrypt your files without fearing that they will be permanently destroyed.
How to recover files?
For the time being, an original decryptor has not been produced, but there is always a chance of it being released. Instead of paying the ransom, you are to explore additional options. For instance, Shadow Volume Copies could be untouched and their restoration might still be possible. Additionally, you could use software which has been designed to recover data after it has been encoded. Both of these options are discussed in more detail after the paragraph about distribution of ransomware.
However, if you have been cautious enough to store your files in backup storages, you are to simply remove the infection and continue with the retrieval of data from storages. To get rid of all traces of malicious procedures, you are recommended to use Reimage, Spyhunter or Hitman for the detection and removal process of XData ransomware.
Potential methods of transmission of malicious payloads
Harmful executables could be made available in email letters that you receive in your inbox. This sort of spam messages usually pretend to originate from respectable authorities, while in reality, their creators are hackers. Do not download files that are included as attachments since they are very likely to start various types of detrimental procedures. Additionally, ransomware could arrive thanks to vulnerable websites, tainted advertisements. Peer-to-peer sharing also plays a massive role in distribution of Trojans.
Update of the 1st of June, 2017. An unknown source posted a functional master key for decryption of files that XDara harshened. Download the tool by clicking here. Before you actually start to recover files, you are advised to end malicious processes that belong to this ransomware infection. This can be done manually, if you open your Task Manager and terminate the following procedures: msdns.exe, mssql.exe, or mscom.exe. Only then should you download the decryptor and move on to other objectives.
- Characteristics of this ransomware
- How to recover files?
- Potential methods of transmission of malicious payloads
- Automatic XData ransomware removal tools
- How to recover XData ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- Step 2. Complete removal of XData ransomware
- Step 3. Restore XData ransomware affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover XData ransomware encrypted files
- Removal guides in other languages
Automatic XData ransomware removal tools
How to recover XData ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before XData virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of XData ransomware
Step 3. Restore XData ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually XData virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover XData ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.