A new ransomware threat is brewing in Ukraine, which security experts expect could likely lead to even more widespread attacks in the future. Researchers have spotted a new ransomware variant, dubbed XData, rapidly spreading across Ukraine. XData ransomware was found spreading faster than WannaCry, which last week affected hundreds of thousands of global firms and networks in over 150 countries.
However, in comparison, XData ransomware racked up three times more infections than WannaCry did last week in Ukraine. According to a security researcher MalwareHunter, who works with the MalwareHunterTeam group and was the first to detect the ransomware, as of Friday (18 May), XData already had 94 unique detections and the number of infections was on the rise.
Security researchers with ESET suggest that the ransomware authors may be using social engineering techniques to spread XData. ESET researchers also said XData makes use of a tool called Mimikatz "to extract admin credentials," which essentially allows the ransomware to infect an entire network.
XData spreading rapidly
"The infections with XData across Ukraine have been increasing so rapidly it has raised XData to the second most active ransomware strain, second to the ever dominant Cerber," security researchers at Emsisoft said.
Emsisoft researchers said in just one day of XData being active in Ukraine, the ransomware "made four times as many victims when compared with the total for the entire week of WannaCry's reign".
Wired cited Symantec researchers as having confirmed that XData is currently "highly active" in Ukraine as well as Russia.
"As it spread that fast in the Ukraine, it is not unlikely that it will spread fast outside of Ukraine, too," German security researcher Matthias Merkel told Wired.
No specific XData ransom demands
Although XData comes with a standard ransom note, warning victims to not use decryption tools or contact "data recovery companies," a salient feature missing from the ransom note is the specific ransom amount. At present, XData authors do not specify the exact amount they expect victims to pay up in exchange for their stolen data.
MalwareHunter speculated that the cybercriminals behind XData may likely set ransoms on an individual basis, which means that victims could likely receive demands for varying amounts of ransom, Wired reported.
It is still uncertain as to whether the ransomware is exploiting a particular vulnerability. In case of the WannaCry attacks, hackers exploited the EternalBlue vulnerability, an alleged NSA hacking tool leaked by the Shadow Brokers hacker group, to spread the attacks.
"I want to believe they are exploiting [the same flaw]," MalwareHunter, told Wired, "because if not, and they still got that crazy amount of victims, that is really bad."
Despite XData's relevantly limited geographical reach, experts are still concerned over the threat the ransomware poses, given its rapidly rising infection rate. "Imagine what would happen if they targeted everyone," MalwareHunter said.