Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.XDATA Virus File Ransomware (Restore Files)

This article aims to help you on how to remove XData ransomware and try to decrypt the files encrypted with .~xdata~ file extension.

HOW_CAN_I_DECRYPT_MY_FILES.txt is the ransom note by which the XData malware string could be recognized. The malware is from the file-encryption type, meaning that it uses the AES encryption algorithm to render the important files on the computer of the user no longer openable. The files are also appended the .xdata file suffix after their original extension as a signature your computer has been infected. In case your computer has been infected by the .xdata file virus, we advise you to read the following article thoroughly.

Threat Summary

Name

XDATA

TypeRansomware
Short DescriptionEncrypts files on the infected computers, demanding victims to pay a hefty ransom fee to retrieve them.

SymptomsSlow computer performance, files no longer openable with an added .~xdata~ file extension. A ransom note file, named HOW_CAN_I_DECRYPT_MY_FILES.txt.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by XDATA

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss XDATA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XData Ransomware – Distribution

Ransomware viruses like the XData infection can be spread with the aid of e-mail spam messages which contain:

  • Malicious web links.
  • Malicious e-mail attachments.

These e-mail messages usually contain deceitful instructions to open the attachment or click on the web link, making it seem to the user that it is a legitimate document of some sort.

Other methods by which XData ransomware could infect computer systems are via fake updates, malicious browser redirects as a result of adware on the computer, infected installers of software or fake key generators or license activators uploaded online.

XData Ransomware – More Information

The ransomware virus drops the following malicious files after an infection by it has occurred:

  • msaddc.exe
  • mscomrpc.exe
  • msdcom.exe
  • msdns.exe
  • mssecsvc.exe
  • mssql.exe

After the files are dropped, the virus may execute them in an obfuscated manner without being detected by any antivirus program. This may result in XData ransomware leaving behind malicious registry values on the user’s computer. The registry value strings which are attacked are the Run and RunOnce sub-keys that are responsible for the running of the malicious executable on system boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After the registry entries are created, the XData ransomware infection may execute Windows Command Prompt as an administrator and run the following commands to delete the shadow copies:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Finally, the ransomware may drop it’s ransom note, named HOW_CAN_I_DECRYPT_MY_FILES.txt:

“Your important files were encrypted on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with ‘.key.~xdata~’ extension.
Depending on your operation system version and personal settings, you can find it in:
‘C:/’,
‘C:/ProgramData’,
‘C:/Documents and settings/All Users/Application Data’,
‘Your Desktop’
folders (eg.).
Then send it to one of following email addresses:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Your ID:
Do not worry if you did not find key file, anyway contact for support.”

XData Ransomware – Encryption Process

For the encryption process, XData ransomware uses the AES encryption algorithm which generates a symmetric key of the files encrypted encrypting them. This key can be used to decode the files back to their working state. The bad news is that only the cyber-criminals become the ones in possession of the key. The virus targets multiple important file types, such as the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the encryption process is complete, the XData ransomware infection appends the .~xdata~ file extension to the encrypted files. This results in the files looking like the following:

Remove XData Ransomware and Restore Encrypted Files

Even though it may seem like a tempting action to pay the ransom requested by the crooks, it is advisable not to for obvious reasons:

  • You aid the cyber-criminals in further developing and spreading their malware.
  • You may got get your files back after paying them.

This is why experts recommend following these steps:

1. Backup your data, despite it being encrypted.
2. Remove XData ransomware by following the instructions below. Experts strongly advise using an advanced anti-malware tool for this purpose.
3. Try to restore the files by using the alternative methods for file recovery in step “3. Restore files encrypted by XData” below.

Manually delete XDATA from your computer

Note! Substantial notification about the XDATA threat: Manual removal of XDATA requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove XDATA files and objects
2.Find malicious files created by XDATA on your PC
3.Fix registry entries created by XDATA on your PC

Automatically remove XDATA by downloading an advanced anti-malware program

1. Remove XDATA with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by XDATA in the future
3. Restore files encrypted by XDATA
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.