{ "id": "3211edcd-60d7-46c3-a21f-70177259c9f9", "created_at": "2026-04-06T00:22:18.88587Z", "updated_at": "2026-04-10T13:12:56.290593Z", "deleted_at": null, "sha1_hash": "340859cec188321f7ac81f12860dc03bb554fb0f", "title": "XData ransomware making rounds amid global WannaCryptor scare", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 110020, "plain_text": "XData ransomware making rounds amid global WannaCryptor\r\nscare\r\nBy Anton Cherepanov\r\nArchived: 2026-04-02 11:34:30 UTC\r\nRansomware\r\nA week after the global outbreak of WannaCryptor, also known as WannaCry, another ransomware, known as\r\nXData, has been making rounds.\r\n23 May 2017  •  , 2 min. read\r\nA week after the global outbreak of WannaCryptor, also known as WannaCry, another ransomware variant has\r\nbeen making the rounds.\r\nDetected by ESET as Win32/Filecoder.AESNI.C, and also known as XData ransomware, the threat has been most\r\nprevalent in Ukraine, with 96% of the total detections between May 17th and May 22th, and peaking on Friday,\r\nMay 19th. ESET has protected its customers against this threat since May 18th.\r\nHowever, we’ve been tracking the malware since December 8th, 2016, when the version\r\nWin32/Filecoder.AESNI.A first appeared. For the AESNI.A variant, some of the decryption keys have been\r\nrecently published on a BleepingComputer.com forum.\r\nhttps://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare\r\nPage 1 of 4\n\nBased on ESET’s research, the ransomware appears to have been distributed through a Ukrainian document\r\nautomation system widely used in accounting. Since the infection ratio is still low, a probable distribution scenario\r\ninvolves some kind of social engineering – e.g. connected to a malicious software update – however, it is still\r\nearly to tell with absolute certainty.\r\nOnce it infects a computer, the main file drops a legitimate system utility – SysInternals PsExec – and then\r\nexecutes the dropped ransomware sample (Win32/Filecoder.AESNI.C.).\r\nIf executed with admin privileges, the ransomware can infect an entire network. To do so, it uses the Mimikatz\r\ntool to extract admin credentials and then uses them to run a copy of itself on all computers in the internal\r\nnetwork.\r\nIf you’re interested in why the threat is called AESNI, it is derived from the ransom note dropped by one of its\r\nprevious variants:\r\nhttps://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare\r\nPage 2 of 4\n\nMoreover, there is also a functionality behind the name – the ransomware checks whether the affected machine\r\nsupports Advanced Encryption Standard Instruction Set, aka AES-NI. If that’s the case, it uses it to encrypt\r\nvictims’ data faster thanks to hardware acceleration.\r\nHow to stay safe\r\nParticularly in this case, separating admin and user accounts would prevent much of the damage, as the XData\r\nransomware misuses admin passwords if run on accounts with admin privileges. Without admin privileges, XData\r\nis only able to infect one computer instead of the whole network.\r\nIn general, here’s what you can do to protect yourself against most ransomware:\r\nUse a reliable security solution that utilizes multiple layers to protect you from similar threats in the future.\r\nMake sure to update and patch your operating system regularly.\r\nKeep backups of your files on a remote hard disk or location that will not be hit in case of a network\r\ninfection.\r\nNever click on attachments and links in suspicious or unexpected emails.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare\r\nPage 3 of 4\n\nSource: https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare\r\nhttps://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare" ], "report_names": [ "xdata-ransomware-making-rounds-amid-global-wannacryptor-scare" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434938, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/340859cec188321f7ac81f12860dc03bb554fb0f.pdf", "text": "https://archive.orkl.eu/340859cec188321f7ac81f12860dc03bb554fb0f.txt", "img": "https://archive.orkl.eu/340859cec188321f7ac81f12860dc03bb554fb0f.jpg" } }