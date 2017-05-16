A week after WannaCrypt induced worldwide panic, another vicious ransomware attack kicked off.

Despite being contained primarily to Ukraine (for now), the new malware, dubbed “XData,” was rated the second-most infectious globally on Friday by a security researcher at MalwareHunterTeam, a group instrumental last week in alerting us to the WannaCrypt threat.

The researcher, who did not wish to be identified by name, said that in Ukraine XData already has an infection rate three times that of WannaCrypt. That number is merely an estimate, however, based on details submitted to the team’s ID Ransomware platform. MalwareHunterTeam has detected around 100 infections on Frdiay alone.

Here is an IDR based heatmap for past 24 hours of XData ransomware.

91% of victims from Ukraine, 3% from RU.@BleepinComputer @demonslay335 pic.twitter.com/uGaEIecPDf — MalwareHunterTeam (@malwrhunterteam) May 19, 2017

Worse yet, it’s not immediately clear how XData is being spread, though an attack by spam seems unlikely. “[There are] too many victims in too short a time,” the researcher said.

Even on a good day and with the assistance of a botnet, “you simply won’t get this number with spam,” they said. “Maybe you get a number like this for [the whole planet].” But right now, “this is mostly one country, with a few victims in others.”

While XData appears localised now, it could easily jump the fence. After all, WannaCrypt kicked off in only a handful of countries (Russia, Taiwan, the UK, and Spain) before rapidly turning into a global pandemic.

IDR: XData currently is the second "best" ransomware in the past 24 hours w/ only targeting Ukraine.

Crazy...@BleepinComputer @demonslay335 pic.twitter.com/JMcduJyYUa — MalwareHunterTeam (@malwrhunterteam) May 19, 2017

Information isn’t coming easy, but so far the MalwareHunterTeam has identified (among other victims) a Ukrainian factory, as well another company whose accounting department is apparently infected. The researcher has seen infections in Windows Server 2008 (including the R2 version), Windows 7, and Windows 10. “But there are others probably,” they added.

The attackers responsible have not yet been identified.

Gizmodo reached out to a number of security researchers in Ukraine, but none were immediately available.

@malwrhunterteam I again checked the statistics of the victims at the end of the day. In Ukraine there are a lot more affected servers: Kiev, Kharkov, Odessa — Amigo-A (@Amigo_A_) May 19, 2017

The good news is that XData has caught the attention of some talented security researchers. The bad news is they don’t believe there’s anyway to decrypt the infected devices for free.

This post will be updated with new information as it becomes available.