How to remove XData virus and restore encrypted files

Xdata is a new ransomware that appeared few days ago and in some Ukraine it has already infected more computers than WannaCry ransomware. It is very strange because WannaCry used the breach in Windows OS and spread automatically. We still don’t know how Xdata spreads itself. Actually it’s very little known about Xdata, but we will try to give you the full picture of the situation.

 

XData ransomware virus

 

Xdata has been discovered by security researcher MalwareHunter. Actually the virus sample was submitted on his resource for ransomware victims, that is called ID-ransomware. We know that the virus uses AES encryption algorithm to encrypt victim’s files, and we know the names of processes that it runs when performs the encryption. If you’ll see these processes in your task manager you should immediately shut down the PC and boot it in the safe mode to clean it from virus: mssql.exe, msdns.exe, msdcom.exe, mscomrpc.exe. There is no information about the amount of ransom, so we can suppose that scammers determine the sum of ransom separately for each victim. This also tells us that virus somehow interacts with C&C server of hackers, to transmit them the information about the quantity of files on user’s PC and their estimated cost. The encrypted files have new extensions: ~xdata~ or new.~xdata~.

 

XData ransomware virus

 

For now, most of Xdata victims are from Ukraine, but there are reports from Russia, Germany and other countries around the world. There are no 100% effective ways to recover your files, and no reports about successful recovery after the payment of ransom, so there are not many options for Xdata victim. We advise you to remove the virus from the system, to be able to act freely and download new files without losing them. After that you should just wait until there will be the decent decryptor developed. Of course, you can pay the ransom, but you should realize that you might be tricked again, and scammers can’t decrypt the files, or won’t do this and ask for more money. Here are the instructions to remove Xdata from the system, and below them you’ll find few tips about possible ways of data recovery.

How to remove XData Virus

 

Download Spyhunter - Anti-malware scanner

Why we recommend SpyHunter

Spyhunter removes malware fully

It protects the system against all kinds of threats: viruses, adware and hijackers

24/7 Free Support Team

More about Spyhunter: User manual, System requirements, Terms of service, EULA and Privacy policy


Removal instruction

 

 

 

Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1

 

  • Select Boot tab

Safe mode. Step 2

 

 

  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode

 

Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1

 

  • Select Appearance and Personalization

Show hidden files. Step 2

 

  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3

 

  • Press Ok

 

Step 3. Remove virus files

 

Check next folders to find suspicious files:

  • %TEMP%
  • %APPDATA%
  • %ProgramData%

 

Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder

Hosts_file_location

 

  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:

Hosts_file

 

Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

 

Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by XData

As we said earlier, there is no way to decrypt files, encrypted by Xdata. But you can restore them using few ways. The first and the most decent way is to load the backups. If you have no backups it becomes more complicated, because other ways might not work and their efficiency depends on your system settings and personal attentiveness. The first method is to recover the data from shadow copies. Shadow Copies Service is an in-built Windows system that allows you to recover the deleted or changed data. All modern ransomware viruses can delete shadow copies, but this action requires the administrator rights. When virus tries to do this, you see the dialogue window with simple question: “Do you allow this program to apply changes to the system?”. If you answered “yes” and confirmed the changes – you won’t be able to recover the files in this way. There are also other recovery ways with help of Recuva or ShadowExplorer recovery tools. You can see all needed instructions and download these programs on the official websites of their developers.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1

 

  • Click System and Security

Decrypt files. Step 2

 

  • Select Backup and Restore

Decrypt files. Step 3

 

  • Select Restore files from backup
  • Select checkpoint to restore

 

 

 

Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code
Refresh

 Norton_scan_results

Google_SafeBrowsing_scan_results

AVG_Scan_results

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?

 

This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.

 

Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

White Ops unveiled the biggest botnet ever, called Methbot

White Ops cyber-security company revealed the largest botnet in history, called Methbot. In this article you’ll find full information about the net, its width and possible methods to shut it down.