.XDATA Virus File Ransomware (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.XDATA Virus File Ransomware (Restore Files)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to help you on how to remove XData ransomware and try to decrypt the files encrypted with .~xdata~ file extension.

HOW_CAN_I_DECRYPT_MY_FILES.txt is the ransom note by which the XData malware string could be recognized. The malware is from the file-encryption type, meaning that it uses the AES encryption algorithm to render the important files on the computer of the user no longer openable. The files are also appended the .xdata file suffix after their original extension as a signature your computer has been infected. In case your computer has been infected by the .xdata file virus, we advise you to read the following article thoroughly.

Threat Summary



Short DescriptionEncrypts files on the infected computers, demanding victims to pay a hefty ransom fee to retrieve them.

SymptomsSlow computer performance, files no longer openable with an added .~xdata~ file extension. A ransom note file, named HOW_CAN_I_DECRYPT_MY_FILES.txt.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by XDATA


Malware Removal Tool

User ExperienceJoin our forum to Discuss XDATA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

XData Ransomware – Distribution

Ransomware viruses like the XData infection can be spread with the aid of e-mail spam messages which contain:

  • Malicious web links.
  • Malicious e-mail attachments.

These e-mail messages usually contain deceitful instructions to open the attachment or click on the web link, making it seem to the user that it is a legitimate document of some sort.

Other methods by which XData ransomware could infect computer systems are via fake updates, malicious browser redirects as a result of adware on the computer, infected installers of software or fake key generators or license activators uploaded online.

XData Ransomware – More Information

The ransomware virus drops the following malicious files after an infection by it has occurred:

  • msaddc.exe
  • mscomrpc.exe
  • msdcom.exe
  • msdns.exe
  • mssecsvc.exe
  • mssql.exe

After the files are dropped, the virus may execute them in an obfuscated manner without being detected by any antivirus program. This may result in XData ransomware leaving behind malicious registry values on the user’s computer. The registry value strings which are attacked are the Run and RunOnce sub-keys that are responsible for the running of the malicious executable on system boot:


After the registry entries are created, the XData ransomware infection may execute Windows Command Prompt as an administrator and run the following commands to delete the shadow copies:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Finally, the ransomware may drop it’s ransom note, named HOW_CAN_I_DECRYPT_MY_FILES.txt:

“Your important files were encrypted on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with ‘.key.~xdata~’ extension.
Depending on your operation system version and personal settings, you can find it in:
‘C:/Documents and settings/All Users/Application Data’,
‘Your Desktop’
folders (eg.).
Then send it to one of following email addresses:
Your ID:
Do not worry if you did not find key file, anyway contact for support.”

XData Ransomware – Encryption Process

For the encryption process, XData ransomware uses the AES encryption algorithm which generates a symmetric key of the files encrypted encrypting them. This key can be used to decode the files back to their working state. The bad news is that only the cyber-criminals become the ones in possession of the key. The virus targets multiple important file types, such as the following:


After the encryption process is complete, the XData ransomware infection appends the .~xdata~ file extension to the encrypted files. This results in the files looking like the following:

Remove XData Ransomware and Restore Encrypted Files

Even though it may seem like a tempting action to pay the ransom requested by the crooks, it is advisable not to for obvious reasons:

  • You aid the cyber-criminals in further developing and spreading their malware.
  • You may got get your files back after paying them.

This is why experts recommend following these steps:

1. Backup your data, despite it being encrypted.
2. Remove XData ransomware by following the instructions below. Experts strongly advise using an advanced anti-malware tool for this purpose.
3. Try to restore the files by using the alternative methods for file recovery in step “3. Restore files encrypted by XData” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share