Just as the reverberations from last week’s WannaCry ransomware outbreak have started to slow, a new threat has already cropped up. A virulent ransomware strain called XData has gained momentum in Ukraine, so far leading to about three times as many infections as WannaCry did in the country. That XData appears to target Ukraine specifically tempers some fears, but were it to spread globally it would potentially leave even more devastation than last week’s WannaCry mess.
Discovered on Thursday by MalwareHunter, a researcher with the MalwareHunterTeam analysis group, XData had 94 detected unique infections as of midday Friday, and the number was rising. In contrast, MalwareHunterTeam’s data indicates that there were less than 30 WannaCry infections in Ukraine in all (the total number of infections worldwide was about 200,000). A few dozen cases may not sound like a lot. But considering that WannaCry infected 200,000 devices out of the billions of devices in the world, rate of infection is an important indicator. An outbreak moving this much faster than WannaCry did, even in an isolated setting, portends deeper troubles if it goes global.
“As it spread that fast in the Ukraine, it is not unlikely that it will spread fast outside of Ukraine, too,” says German security researcher Matthias Merkel.
Experts are still analyzing the ransomware to identify how it infects devices and spreads, but so far XData shows at least some level of sophistication. That’s in contrast to WannaCry, whose creators’ incompetence limited its scope. Researchers have confirmed that XData fully encrypts the files it claims to, and that there isn’t a way to get around the process and decrypt the files for free, as you can with WannaCry in some cases on Windows XP and Windows 7.
XData’s ransom note is simply in a text file instead of showing up as a window plastered across a victim’s screen. Merkel notes that the ransomware regularly closes all processes running on infected devices except for itself, but it seems that it may not connect to the internet after it infects a device. If that’s the case then it probably doesn’t have the worm-like qualities of WannaCry and is relying on a different mechanism to generate new infections. Usually that would be something like spam, malvertising, or tainted software a user unknowingly downloads, but the rate of infection in Ukraine indicates that there may be an additional driver.
Curiously, XData doesn’t specify an amount of money it requires to release hostage files. MalwareHunter speculates that the attackers may set the ransoms on a victim-by-victim basis, depending on whether they are individuals or businesses.
The XData focus on Ukraine has kept the ransomware at least somewhat contained. And researchers caution that it’s too early to predict how effective it would be outside the country, since so much remains unknown about the mechanics of XData attacks. Researchers at Symantec said on Friday that they had evaluated two XData-related samples, and confirmed that it is currently “highly active” in Ukraine and Russia. But they hadn’t yet determined whether the ransomware was exploiting a particular software vulnerability to infect devices.
WannaCry notoriously exploits the Windows server vulnerability known as EternalBlue, which surfaced in a leak of stolen NSA spy tools published by the Shadow Brokers hacking group. Microsoft had patched the bug in mid-March, but WannaCry preyed on devices that didn’t have the fix installed. Victims included the UK’s National Health Service, various European telecoms, and thousands more victims in 150 countries around the world.
Perhaps counterintuitively, XData turning out to leverage the same EternalBlue exploit would be for the best, given the general awareness at this point of the need to patch that particular bug. It’s a known problem. “I want to believe they are exploiting [the same flaw], says MalwareHunter, “because if not, and they still got that crazy amount of victims, that is really bad.”
Even if XData doesn’t have the same efficacy on the world stage (fingers crossed), it still highlights the larger reality that new ransomware families, each with their own tweaks and modifications, constantly surface and affect some number of victims. And attackers learn from both successes and failures. WannaCry showed just how bad things can get when relatively unknown ransomware has the right infection strategy at the right time. It won’t be the last to do so.
Now researchers are analyzing, watching and waiting to see what happens next with XData. The rate of infection ebbs and flows hour to hour, but has been steadily rising overall. “Imagine what would happen if they targeted everyone,” MalwareHunter says.
What is Ransomware and How Do You Deal With It?
PlexCoin Founder Gets Jail Time, Fine on Contempt Charge
U.S. and Canadian authorities appear determined to make an example of a recent initial coin offering.
On Friday, a Canadian court ordered a two-month jail sentence against PlexCoin creator Dominic
'Bitcoin Jesus' is 'really, really concerned' about the future of the digital currency
An early bitcoin investor said Monday the digital currency can run higher, but the hype has far outpaced its usability. "I think in the short run it can run up a lot more," Roger Ver, CEO of
Bitcoin has aspects of a bubble, but it's OK to 'play' with it: Economist Robert Shiller
Bitcoin has "aspects of a bubble" but it's almost impossible to know whether it's gone too far, Nobel-winning economist Robert Shiller told CNBC on Monday. Bitcoin has been on a wild ride
Futures Launch Puts Record Bitcoin Highs Back in Play – Yahoo Finance
Digital currency bitcoin begins trading on major exchange for first time in Chicago WLS-TVBitcoin Futures Started So Hot That Trading Had to Be Halted Twice FortuneBusiness Insider Â âCNNMoney Â â
Understanding Futures: A Primer for Bitcoiners
Lanre Sarumi is the CEO of Level Trading Field, an interactive online platform for professionals in the finance industry.
"Study the past if you would define the future." – Confucius
Bitcoin Price Back Above $17k to Set New All-Time High
The price of bitcoin has pushed back above $17,000, hitting a new all-time high on CoinDesk's Bitcoin Price Index (BPI).
As of press time, the BPI had climbed as high as $17,382.64, beating the $17
People are taking out mortgages to buy bitcoin, says securities regulator
Bitcoin is in the "mania" phase, with some people even borrowing money to get in on the action, securities regulator Joseph Borg told CNBC on Monday. "We've seen mortgages being taken out to buy
Two Firms File Bitcoin ETF Applications in Wake of CBOE Futures Launch
Two exchange-traded fund (ETF) providers have filed with the U.S. Securities and Exchange Commission (SEC) to create Bitcoin ETF products that trade in cryptocurrency derivatives.
According to the