In WannaCrypt's Wake, a New Rapidly Spreading Ransomware Attack Appeared Today

By Dell Cameron on at

A week after WannaCrypt induced worldwide panic, another vicious ransomware attack kicked off.

Despite being contained primarily to Ukraine (for now), the new malware, dubbed “XData,” was rated the second-most infectious globally on Friday by a security researcher at MalwareHunterTeam, a group instrumental last week in alerting us to the WannaCrypt threat.

The researcher, who did not wish to be identified by name, said that in Ukraine XData already has an infection rate three times that of WannaCrypt. That number is merely an estimate, however, based on details submitted to the team’s ID Ransomware platform. MalwareHunterTeam has detected around 100 infections on Frdiay alone.

Worse yet, it’s not immediately clear how XData is being spread, though an attack by spam seems unlikely. “[There are] too many victims in too short a time,” the researcher said.

Even on a good day and with the assistance of a botnet, “you simply won’t get this number with spam,” they said. “Maybe you get a number like this for [the whole planet].” But right now, “this is mostly one country, with a few victims in others.”

While XData appears localised now, it could easily jump the fence. After all, WannaCrypt kicked off in only a handful of countries (Russia, Taiwan, the UK, and Spain) before rapidly turning into a global pandemic.

Information isn’t coming easy, but so far the MalwareHunterTeam has identified (among other victims) a Ukrainian factory, as well another company whose accounting department is apparently infected. The researcher has seen infections in Windows Server 2008 (including the R2 version), Windows 7, and Windows 10. “But there are others probably,” they added.

The attackers responsible have not yet been identified.

Gizmodo reached out to a number of security researchers in Ukraine, but none were immediately available.

The good news is that XData has caught the attention of some talented security researchers. The bad news is they don’t believe there’s anyway to decrypt the infected devices for free.

This post will be updated with new information as it becomes available.