[Virus/Malware Activity Report: XData Ransomware]

Due to a breach believed to be in the form of XData ransomware,
we would like to confirm the situation and provide a warning as follows.

XData ransomware

The ransomware in question is called XData and has a file name.extension. It appears that all files are being changed with ~xdata~.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It was built based on Delphi, and encryption is performed except on the desktop to prevent duplication through events and to make it difficult for users to immediately check the encryption progress.

  
  [Figure 3 Dynamic code that generates events to prevent duplicate execution]

  
  [Figure 4 Unencrypted desktop and additional encrypted drives]

  
  [Figure 5 Dynamic code that checks for exceptions during encryption]

Infection results

The desktop is changed, and HOW_TO_RECOVER_FILES.txt is created in each folder location. When encrypting, files are changed to <file name.extension.~xdata~>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Watch the XData blocking video