New major ransomware threat appears just days after WannaCry

The dust hasn’t even settled around WannaCry, another ransomware appears. This one was detected by ESET and identified as Win32/Filecoder.AESNI.C. 

Security researchers dubbed it XData ransomware. It appears mostly in Ukraine (96 per cent of cases). The outbreak seems to have started on May 17, reaching peak on May 19. 

ESET says that it has been tracking the malware since early December last year, when the version Win32/Filecoder.AESNI.A first appeared. Some decryption keys for this variant have been published on the BleepingComputer.com forum.

This ransomware seems to be going around through a Ukranian document automation system used in accounting. ESET says the infection ration is still low, which probably means infection requires ‘some kind of social engineering’. It is still too early to tell, though. 

After infecting a computer, the main files drops a legitimate system utility – SysInternals PsExec – and executes the ransomware sample (Win32/Filecoder.AESNI.C.).

The ransomware has the potential of infecting the entire network, ESET added: “To do so, it uses the Mimikatz tool to extract admin credentials and then uses them to run copy of itself on all computers in the internal network.”

Spreading admin and user accounts would prevent much of the damage, ESET says, as XData ransomware misuses admin passwords if run on accounts with admin privileges.

“Without admin privileges, XData is only able to infect one computer instead of the whole network.”

To protect yourself, you need a security solution utilising multiple protection layers. Make sure you keep your OS up to date, and back up your files on a remote hard disk. And don’t forget not to download or open shady attachments! 

Image source: Shutterstock/Nicescene