Wildfire Ransomware Campaign Disrupted

The No More Ransom initiative released decryption keys for yet another strain of ransomware this week; now victims of the mostly Dutch-leaning ransomware called WildFire can get their files back without paying attackers.

According to an update from the Dutch National Police on Wednesday, when it took down command and control server responsible for WildFire, it was able to confiscate 5,800 decryption keys–including roughly 3,000 keys for Dutch infections and 2,100 for Belgian infections.

Wildfire, like most forms of ransomware, is spread through malicious spam emails but the difference between it and other strains is that the emails are written in “flawless Dutch” according to Jornt van der Wiel, a security researcher with Kaspersky Lab’s Global Research and Analysis Team.

The Wildfire ransomware, like similar strains GNLocker and Zyklon, have mostly been spotted targeting victims in the Netherlands and Belgium. The attackers behind WildFire rely on a phony Dutch domain and actually put the address of the targeted company in the e-mail, something that’s rarely done and increases the likeliness someone opens it, van der Wiel said.

The emails purportedly come from a transport company that’s attempting to deliver a package. Victims are encouraged to schedule a new delivery by filling out a document. The documents, hosted on the suspicious-looking Dutch domain, are naturally laden with macros, which once enabled, download and execute the ransomware.

WildFire goes on to encrypt users’ files with AES in CBC mode, and in most instances, asks users for €299 Euro to decrypt them. If a user waits too long – eight days usually – the price inflates to €999 Euro.

wildfire

By working alongside the Dutch National Police, van der Wiel was able to analyze code belonging to the ransomware’s botnet panel and determine that WildFire doesn’t infect machines based in Russia, Ukraine, Belarus, Latvia, Estonia, or Moldova, likely as an effort to keep attention away from local authorities there.

Even without those countries as targets, the ransomware has been successful; over the course of a month there have been more than 5,700 infections. Of those infections, 236 users paid roughly $78,700 USD, or €70,000 Euro. If the attackers had managed to carry the campaign on, they could have netted $80,000 a month.

Over the last few weeks, the ransomware has targeted individuals in the Netherlands 50 percent of the time and citizens in Belgium 36 percent of the time. Going forward, victims infected by the ransomware will be redirected to NoMoreRansom.org and given instructions on how to decrypt their files.

The No More Ransom initiative was launched last month in hopes of better educating consumers of the perils of ransomware. The project, collaboratively backed by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab, has also become a destination for ransomware decryption keys, including, in addition to WildFire, Chimera, Teslacrypt, Shade, and another variant that targeted the Netherlands, CoinVault.

It was almost a year ago when the Dutch National High Tech Crime Unit enlisted the help of Kaspersky Lab researchers and arrested two individuals from the Netherlands behind the CoinVault campaign. Like Wildfire, the attackers behind CoinVault used flawless Dutch phrases, a telltale sign there was a Dutch connection.

“The seizure of the Wildfire decryption keys proves again that fighting cybercrime, especially ransomware, is more successful through collaboration,” John Fokker, the Digital Team Coordinator of the Dutch National High Tech Crime Unit said Wednesday, “The Dutch police will strive to help ransomware victims by investigating ransomware cases, take down criminal infrastructure and distributing decryption keys.”