FireCrypt originates from a ransomware building kit. This is one of two types of ransomware coding. The first instance is a source code. This method does not make use of templates. The developer who creates the program compiles the codes for all components on his own.
Viruses like FireCrypt are created on the basis of automated software. The coder works with certain input parameters which he has obtained from an available source. He outputs a customized malware payload on a per-campaign basis. This technique is easier. It is often used by people with little to no experience in malware development.
In the case of FireCrypt ransomware, the developer exhibits knowledge in the field of malware. He possesses certain knowledge about creating viruses. His program is complicated and has potential. Time will tell how long it will take security experts to break its code.
Until a custom decrypter for FireCrypt ransomware is developed, victims need to keep the encrypted files intact. They would be ran through the software and brought back to normal, as it would happen when paying for the decryption. It is not advised to pay the $500 dollar ransom. In many instances, cyber criminals collect the sum and do not perform the decryption afterwards.
The concept of malware builders
The latter scheme, used to create FireCrypt, is called a malware builder. Command-line applications and GUI-based tools are the most common foundations for this technique.
The developer of FireCrypt ransomware has chosen to work with a command-line application. This method facilitates the task of combining the samples of the program. The process is automatized. Another additional upside is that the developer can modify basic settings without having to change complicated IDEs in the source code.
The builder for FireCrypt is called BleedGreen. This program gives the ransomware author a small package of customization options. He can generate a unique executable, name it himself and use a personalized file icon. Other malware builders provide a wider array of options. For instance, some applications include the option to set the Bitcoin address for receiving payments, the amount of the ransom and the contact email account.
The malware builder has two main functions. The first task the program carries out is to disguise the executable of the ransomware. It appends a fake extension, making it appear to be a .pdf or .doc file. The second function of the rogue program is to generate a unique file with a different hash for every compilation. The purpose of this process is to make the malware polymorphic, so that is can bypass anti-virus programs. Security experts have concluded that the attempt of FireCrypt is weak, since the builder is too basic.
The encryption procedure of FireCrypt ransomware
As with all viruses, the first and most important task on the agenda of the attacker is to have people launch the executable of FireCrypt ransomware. When the .exe file is opened, the installation of the program proceeds automatically.
FireCrypt disables the Task Manager by terminating its process, taskmgr.exe. The ransomware uses AES-256 encryption algorithm to render files inaccessible. It targets 20 formats: .txt, .pdf, .sql, .html, .htm, .doc, .docx, .asp, .aspx, .csv, .jpg, .png, .psd, .mp3, .sln, .mdb, .csx, .php, .aep, .torrent.
This is a short list, compared to the damage other ransomware infections do. FireCrypt appends the .firecrypt suffix to the names of the infected items. It is added after the original file extension which does not get deleted from the object’s name.
FireCrypt is actually a later version of another ransomware virus
Upon completing the encryption process, FireCrypt drops a ransom note on the desktop. The file has revealed more about the program than a ransom note usually does. It is a copy of the ransom note of Deadly for a Good Purpose ransomware. It is almost identical to it, safe for the absence of a logo. It makes sense that the developer would delete it, as it features the name of Deadly for a Good Purpose ransomware.
When in was discovered on October 14, 2016, Deadly for a Good Purpose ransomware seemed to be incomplete. The source code was set to prompt the encryption process only if the targeted computer displayed a date from January 1, 2017 onward.
A thorough analysis on the source codes of FireCrypt ransomware and Deadly for a Good Purpose ransomware revealed that they use the same email address and Bitcoin account. This confirmed the assumption that the two programs are intertwined.
The DDoS attacks FireCrypt ransomware conducts fill the hard drive with junk files
The distributed denial-of-service (DDoS) attacks are the final task on the agenda of FireCrypt. The ransomware establishes a connection with a certain URL and downloads its content to the hard disk drive of the infected computer. This process is continuous. Your computer will be flooded with junk data on a constant basis. FireCrypt stores the data in a single file, located in the %Temp% folder. Its name is generated using the following formula: [random characters]-[connect number].html.
FireCrypt is set to download the content of the website http://www.pta.gov.pk/index.php. This is the official portal of the Telecommunication Authority of Pakistan. The builder cannot modify the URL.
The author of FireCrypt ransomware has dubbed this process a DDoSer. This is an overstatement. In order to conduct an effective DDoS attack on the government’s website, the hacker would need to infect thousands of computers. In addition, all devices would have to be infected at the same time.
