Researchers quell Wildfire ransomware with decryption key

Intel and Kaspersky researchers developed a free decryption tool for victims of the Wildfire variant of ransomware.

Intel and Kaspersky researchers developed a free decryption tool for victims of the Wildfire variant of ransomware.

Threat actors behind the ransomware used spam emails containing macros to infect users before demanding a ransom of 1.5 bitcoin, according to a 23 August  Intel Security blog post.

Wildfire is classified as a “local threat” as it targeted users in Belgium and the Netherlands with malicious emails disguised as missed package delivery notifications containing instructions on how to schedule a new delivery by filling out a “special form,” which actually contains the malware.

Kaspersky researchers observed more than 5,700 infections and said 236 users paid a total of almost $78,869.00 (€70,000) in order to retrieve their files although researchers noted some users may have negotiated their payments down, according to an Aug. 23 Kaspersky blogpost.

“The e-mails are really well crafted with the address of the receiver embedded into it,” Kaspersky Security Researcher Jornt van der Wiel told SCMagazine.com via emailed comments. “Also, due to our cooperation with the police, we know exactly how many infections there are and how many people paid.” 

He said that there are similarities between Zyklon and Wildfire ransomware including the fact that both variants targeted The Netherlands and the ransom notes were alike. There was some Russian text in the Zyklon decryption tool that was provided to victims by the cybercriminals and researchers suspect there might be a Dutch-speaking person involved in the Wildfire campaign because the spam emails were in perfect Dutch, van der Wiel said.

Although the bloggers didn't attribute the campaign to any specific group, but Kaspersky researchers noted the malware didn't affect users in several countries including Russia, Ukraine, Belarus, Latvia, Estonia and Moldova.

This ransomware campaign is unique because of how targeted the attacks were, Intel Security CTO Raj Samani told SCMagazine.com via emailed comments. 

“They are conducting an element of research into their victims which is an evolution from the scattergun approach we have been used to,” Samani said.