Severity scale:  
  (96/100)

XData ransomware virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware
12

After using XData ransomware to cause havoc in Ukraine, hackers publish master decryption keys 

Xdata virus operates as the ransomware that encrypts files with AES encryption algorithm[1]. The malicious program seems to be attacking Ukraine mainly, although there are victims in Russia, Estonia and Germany[2]. The virus presents quite a plain design as it does not launch its specific GUI. Instead, it opens HOW_CAN_I_DECRYPT_MY_FILES.txt with the instructions how to locate ID and contact hackers via email addresses. Surprisingly, the perpetrators present even 6 of them: beqins@colocasia.org, bilbo@colocasia.org, frodo@colocasia.org, trevor@thwonderfulday.com, bob@thwonderfulday.com, bil@thwonderfulday.com. The domain names suggest that hacker was in a good mood generating the malware, however, victims of this malware experience the feeling far from joy. Not only their files now are marked with .~xdata~ file extension, but they remain locked as well. Furthermore, it seems that the malware is designed based on the trojan which has emerged several years ago – HEUR:Trojan.Win32.Generic. Furthermore, it seems that the malware uses more than 20 IP addresses to cover tracks. Until the decryption tool will be created, we recommend you to proceed to Xdata removal. For that purpose, you may find Reimage or Malwarebytes Anti Malware useful.

UPDATE: On 30 May, 2017 hackers revealed master decryption keys of XData ransomware. Thanks to that, Kaspersky and Avast have already released decrypters for this virus. You should run them right after removing the virus from your system.

The image displaying XData virus

The ransom note suggests that the malware employs ordinary encryption method, specifically public key to encode netizens‘ data. As a rule, in order to decrypt the files, users need to obtain a unique private key. The cyber criminals seem to be using Command and Control server to store the key. This feature also grants more flexibility to manage several registered domains and, likewise, grant more anonymity. Furthermore, the penetrators ask users to find their ID by locating the file with .key.~xdata~ file extension. Then, they should contact hackers via indicated email addresses. The ransom note left by Xdata ransomware does not present any specific amount of ransom. Such peculiarity might be explained from two perspectives: either the hackers forgot to provide it, or they are ready for negotiations. In any case, we do not recommend contacting the criminals. It is understandable if you decide to risk paying the money but note that there is no guarantee that the hackers will return the files[3]. Thus, you might want to remove Xdata completely.

Starting with the first day of xData ransomware appearance, researchers noticed that the virus mainly rampages in Ukraine[4]. Surprisingly, they report that the virus managed to infect four times more computers than an infamous WannaCry succeeded in a whole week. What’s shocking is that WannaCry was mainly acting on a global scale, while the new computer virus targets only one country mainly. There is no surprise that X Data virus managed to jump into the second position of the most active ransomware families on May 19, and the only virus that it failed to surpass was Cerber

Methods used to distribute ransomware

There are several distribution methods used by hackers to increase the number of computers infected with ransowmare. Most popular of them is targeting users with spam emails. Note that emails which report about undelivered packages, present invoices or another important documents might be fake and hide a highly troublesome virus. Thus, by opening such file, you may allow XData ransomware or another ransomware[5] to infect your computer. The ransomware starts these processes on an infected host – msaddc.exe, mscomrpc.exe, msdcom.exe, msdns.exe, mssecsvc.exe, mssql.exe and msdcom.exe. To lower the risk of infection, proper security application should be installed. If you already have one and it just quarantined one of the following detections – Trojan.Heur.TP.E72C6B, Gen:Trojan.Heur.TP.eqW@baZ37zo or Ransom_XDATA.A, you should know that XData virus just attempted to encrypt files on your system.

Xdata ransomware removal

When it comes to ransomware removal, users should opt for automatic elimination method. Unless you are an IT security specialist yourself, it would be futile to track all malware files which are spread throughout the entire system. Only after you remove Xdata virus, you may proceed data recovery instructions. Some of them might be of use to you. Lastly, if you are about to enable new browser extensions or install new applications when UAC message pops up and asks you to enable the installation of new files, beware of the above-mentioned executable files. If the program, downloaded from entertainment websites, asks you to enable msaddc.exe or msdcom.exe, you should be alerted because you might need to think about XData ransowmare removal after enabling them.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove XData ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall XData ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual XData virus Removal Guide:

Remove XData using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

This option should help you recover control of the device, in case the malware shuts down anti-virus tools and prevents you from terminating it any other way.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove XData

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete XData removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove XData using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of XData. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that XData removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove XData from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by XData, you can use several methods to restore them:

Data Recovery Pro option

It is promoted as a tool which is able to recover damaged files and even recover lost emails.

The benefits of ShadowExplorer

There are fair chances that you might recover your files if you use this program. It uses shadow volume copies as patterns to recreate wanted files. 

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use XData decrypters to recover your files

If infected with XData ransomware, you should know that its creators have already released master decryption keys of this virus. Thanks to that, experts from Kaspersky and Avast have already updated/released their decrypters. To recover your files, you can use either RakhniDecryptor or a free decryption tool by Avast.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from XData and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References

Removal guides in other languages