Luckily for all users, the security vendors Kaspersky and Intel McAfee have now published two free decryption tools for files locked by the WildFire ransomware.
Both decryptors can be downloaded from the NoMoreRansom webpage. The NoMoreRansom initiative is the result from the collaboration between the Europol European Cybercrime Centre (EC3) and the Dutch police.
When WildFire was first detected in the middle of April it was going by the name of GNL. Later, it was renamed to Zyklon and at the end of May was its latest name change which it is still using – WildFire.
During June and July, the authors of WildFire started distributing their ransomware via huge spam message waves aimed to infect Dutch users.
The security researcher MalwareHunterTeam shared with Softpedia that Wildfire ransomware campaigns continued in August as well, even if they were not reported by security vendors as the initial wave of spam.
According to the information MalwareHunterTeam and, later, the OpenDNS analysis shared, Softpedia researchers have a reason to believe that the crooks, responsible for WildFire, are Russian.
When it was first spotted, the WildFire ransomware was known to use a strong encryption algorithm, which researchers weren’t able to crack. However, when the malware devs decided to register custom Dutch domains and host servers in the Netherlands, experts saw a loophole.
“By working together with the police on this case, we had something much better in our hands: The botnetpanel code!” – said the Kaspersky’s researcher, Jornt van der Wiel.
Using this information the researchers were able to create two free WildFire decryptors. However, the Intel McAfee decryptor is a command-line utility and might be too advanced for a non-technical user.
Moreover, as researchers had access to the C&C server statistics, they reported that only in the course of a month, Wildfire managed to attack 5,309 PCs and 236 users ended up paying the ransom. This made the ransomware authors a profit of $79,000 or 136 Bitcoins.
