XData ransomware targets Ukraine business networks.
XData ransomware targets Ukraine business networks.

Just a week after the WannaCryptor scare, ESET researchers have spotted XData ransomware, which uses the Mimikatz tool to extract admin credentials and then uses these credentials to copy of itself onto all of the computers in the internal network enabling it to potentially compromise entire networks, making the rounds, mostly in Ukraine where it appears to have been distributed through a Ukrainian document automation system widely used in accounting.

The malware also checks whether the affected machine supports Advanced Encryption Standard Instruction Set aka AES-NI and if it does, uses it to encrypt victims' data faster thanks to hardware acceleration, according to a May 23 blog post.

Researchers have been tracking the malware since December 2016 and speculate the distribution of the ransomware involves some sort of social engineering since the infection ration is still low, however it's too soon to say with certainty.  

The majority of the detections, 96 percent, occurred between May 17, 2017 and May 22, 2017 peaking on May 19, 2017.

To protect against infections, researchers recommend users separate admin and user accounts to prevent damage. Companies should also utilize a reliable security solution that utilizes multiple layers, regularly back up files on a remote hard disk or location that will not be hit in case of a network infection, and never click on suspicious links and attachments.