{"id":5540,"date":"2016-08-24T05:01:44","date_gmt":"2016-08-24T09:01:44","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5540"},"modified":"2019-11-15T15:24:08","modified_gmt":"2019-11-15T11:24:08","slug":"wildfire-ransomware-decryptor","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/wildfire-ransomware-decryptor\/5540\/","title":{"rendered":"WildFire ransomware extinguished"},"content":{"rendered":"

It\u2019s no secret: ransomware is a painful threat. And it\u2019s not going to disappear anytime soon \u2014 with a few exceptions, of course.<\/p>\n

Good news:<\/b>\u00a0This is the story of one such exception. Recently, Kaspersky Lab helped Dutch police to disable another type of ransomware \u2014 WildFire, which mainly terrorized citizens of the Netherlands.<\/p>\n

WildFire was one of those greedy Trojans that want your money quickly \u2014 it demanded additional compensation for payment delays. In this case, the malware demanded $300 within eight days. After that, the amount tripled.<\/p>\n

The National High Tech Crime Unit of the Dutch police seized a command-and-control server that contained 5,800 decryption keys. We used the data to make a new decryption tool, which we published on\u00a0nomoreransom.org<\/a>,\u00a0noransom.kaspersky.com<\/a>, and\u00a0support.kaspersky.com<\/a>.<\/p>\n

The Dutch police replaced the malicious server with a new one that sends notifications to all victims of WildFire that they can download the decryption tool free.<\/p>\n

Flashing back<\/h3>\n

From the very beginning, WildFire targeted Dutch and Belgian people. In fact, more than 90% of the victims were from the Netherlands and Belgium.<\/p>\n

WildFire spread by spam that, in flawless Dutch, notified people that a transport company had failed to deliver a package. The message contained a link to download a form for the recipient to use to reschedule the delivery. The website had a Dutch domain name and overall looked convincing.<\/p>\n

Victims visited the site, downloaded the document, opened it, and in doing so activated a malicious macros, which in turn downloaded and executed WildFire. As the manifestation of criminals\u2019 intentions, the code of the macros included lyrics from the Pink Floyd song \u201cMoney\u201d (as well as several variants with names in Polish).<\/p>\n

\"wildfire-screen\"<\/p>\n

How to protect yourself<\/h3>\n

If there were only one type of malware and one means of delivery, cybersecurity would be a piece of cake. Unfortunately, it\u2019s not, and there are millions of other threats. To stay safe, follow our advice:<\/p>\n

1. If you are a WildFire victim, download a decryptor from\u00a0nomoreransom.org<\/a>. The portal also contains decryption tools for dozens of other types of ransomware.<\/p>\n

2. After decrypting your files, scan your PC \u2014 may be WildFire is not the only malware that crept into the system. You can run a scan with the free\u00a0Kaspersky Virus Removal Tool<\/a>.<\/p>\n

\n

10 tips to protect your files from ransomware https:\/\/t.co\/o0IpUU9CHb<\/a> #iteducation<\/a> pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n

\u2014 Kaspersky (@kaspersky) November 30, 2015<\/a><\/p><\/blockquote>\n