August 24, 2016

WildFire ransomware extinguished

News

It’s no secret: ransomware is a painful threat. And it’s not going to disappear anytime soon — with a few exceptions, of course.

Good news: This is the story of one such exception. Recently, Kaspersky Lab helped Dutch police to disable another type of ransomware — WildFire, which mainly terrorized citizens of the Netherlands.

wildfire-featured

WildFire was one of those greedy Trojans that want your money quickly — it demanded additional compensation for payment delays. In this case, the malware demanded $300 within eight days. After that, the amount tripled.

The National High Tech Crime Unit of the Dutch police seized a command-and-control server that contained 5,800 decryption keys. We used the data to make a new decryption tool, which we published on nomoreransom.orgnoransom.kaspersky.com, and support.kaspersky.com.

The Dutch police replaced the malicious server with a new one that sends notifications to all victims of WildFire that they can download the decryption tool free.

Flashing back

From the very beginning, WildFire targeted Dutch and Belgian people. In fact, more than 90% of the victims were from the Netherlands and Belgium.

WildFire spread by spam that, in flawless Dutch, notified people that a transport company had failed to deliver a package. The message contained a link to download a form for the recipient to use to reschedule the delivery. The website had a Dutch domain name and overall looked convincing.

Victims visited the site, downloaded the document, opened it, and in doing so activated a malicious macros, which in turn downloaded and executed WildFire. As the manifestation of criminals’ intentions, the code of the macros included lyrics from the Pink Floyd song “Money” (as well as several variants with names in Polish).

wildfire-screen

How to protect yourself

If there were only one type of malware and one means of delivery, cybersecurity would be a piece of cake. Unfortunately, it’s not, and there are millions of other threats. To stay safe, follow our advice:

1. If you are a WildFire victim, download a decryptor from nomoreransom.org. The portal also contains decryption tools for dozens of other types of ransomware.

2. After decrypting your files, scan your PC — may be WildFire is not the only malware that crept into the system. You can run a scan with the free Kaspersky Virus Removal Tool.

3. WildFire was delivered with the help of fraudulent e-mails. That’s why we highly recommend understanding how phishing works. Vigilance is key: If you didn’t order a package, then who sent you one? An unexpected package isn’t necessarily bad news, but the mystery should alert you to the possibility of fraud. If you can, open suspicious files in a virtual machine.

4. If one piece of malware has found its way into your system, that is an obvious sign other malware can do so as well. That’s why it’s so important to protect your system with a good antivirus solution. Of course, we are partial to our own Kaspersky Internet Security, but regardless of your choice, we strongly urge everyone to use security software on every connected device: Install it, run it, and keep it up to date.