Skip to main content

New major ransomware threat appears just days after WannaCry

(Image credit: Image source: Shutterstock/Nicescene)

The dust hasn’t even settled around WannaCry, another ransomware appears. This one was detected by ESET (opens in new tab)and identified as Win32/Filecoder.AESNI.C. 

Security researchers dubbed it XData ransomware. It appears mostly in Ukraine (96 per cent of cases). The outbreak seems to have started on May 17, reaching peak on May 19. 

ESET says that it has been tracking the malware since early December last year, when the version Win32/Filecoder.AESNI.A first appeared. Some decryption keys for this variant have been published on the forum.

This ransomware seems to be going around through a Ukranian document automation system used in accounting. ESET says the infection ration is still low, which probably means infection requires ‘some kind of social engineering’. It is still too early to tell, though. 

After infecting a computer, the main files drops a legitimate system utility – SysInternals PsExec – and executes the ransomware sample (Win32/Filecoder.AESNI.C.).

The ransomware has the potential of infecting the entire network, ESET added: “To do so, it uses the Mimikatz tool to extract admin credentials and then uses them to run copy of itself on all computers in the internal network.”

Spreading admin and user accounts would prevent much of the damage, ESET says, as XData ransomware misuses admin passwords if run on accounts with admin privileges.

“Without admin privileges, XData is only able to infect one computer instead of the whole network.”

To protect yourself, you need a security solution utilising multiple protection layers. Make sure you keep your OS up to date, and back up your files on a remote hard disk. And don’t forget not to download or open shady attachments! 

Image source: Shutterstock/Nicescene

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.