A week after WannaCry induced worldwide panic, another vicious ransomware attack is currently underway.
Photo: Getty
Despite being contained primarily to Ukraine (for now), the new malware, dubbed “XData”, was rated the second-most infectious globally on Friday by a security researcher at MalwareHunterTeam, a group instrumental last week in alerting us to the WannaCry threat.
The researcher, who did not wish to be identified by name, said that in Ukraine XData already has an infection rate three times that of WannaCry. That number is merely an estimate, however, based on details submitted to the team’s ID Ransomware platform. MalwareHunterTeam has detected around 100 infections today so far.
Here is an IDR based heatmap for past 24 hours of XData ransomware.
91% of victims from Ukraine, ~3% from RU.@BleepinComputer @demonslay335 pic.twitter.com/uGaEIecPDf— MalwareHunterTeam (@malwrhunterteam) May 19, 2017
Worse yet, it isn’t immediately clear how XData is being spread, though an attack by spam seems unlikely. “[There are] too many victims in too short a time,” the researcher said.
Even on a good day and with the assistance of a botnet, “you simply won’t get this number with spam,” they said. “Maybe you get a number like this for [the whole planet].” But right now, “this is mostly one country, with a few victims in others.”
While XData appears localised now, it could easily jump the fence. After all, WannaCry kicked off in only a handful of countries (Russia, Taiwan and Spain) before rapidly turning into a global pandemic.
IDR: XData currently is the second “best” ransomware in the past 24 hours w/ only targeting Ukraine.
Crazy…@BleepinComputer @demonslay335 pic.twitter.com/JMcduJyYUa— MalwareHunterTeam (@malwrhunterteam) May 19, 2017
Information isn’t coming easy, but so far the MalwareHunterTeam has identified (among other victims) a Ukrainian factory, as well another company whose accounting department is apparently infected. The researcher has seen infections in Windows Server 2008 (including the R2 version), Windows 7 and Windows 10. “But there are others probably,” they added.
The attackers responsible have not yet been identified.
Gizmodo reached out to a number of security researchers in Ukraine, but none were immediately available. (At time of writing it was midnight in Kiev.)
@malwrhunterteam I again checked the statistics of the victims at the end of the day. In Ukraine there are a lot more affected servers: Kiev, Kharkov, Odessa
— Amigo-A (@Amigo_A_) May 19, 2017
The good news is that XData has caught the attention of some talented security researchers. The bad news is they don’t believe there’s any way to decrypt the infected devices for free.