According to Kaspersky Lab and Intel Security researchers, the criminal gang behind the recently spotted WildFire ransomware managed to gain $80,000 worth of Bitcoins only in the course of a month.
The ransomware`s main targets were Dutch and Belgian users. Within 31 days, prior to August 23rd, the total number of WildFire infections was 5,768. As 236 of all victims ended up paying the ransom sum, the ransomware authors got 136 Bitcoins ($80,000) richer.
The profit would have been bigger, but as it turns out, the WildFire were satisfied enough to be paid less than what they demanded in the first place. The ransom note stated that, in order to obtain the decryption tool for their locked data, the victims should pay 1.5 Bitcoins ransom. However, the majority of attacked users paid only between 0.5 and 0.6 Bitcoins which was clearly good enough for the crooks.
The malicious threat was spread via waves of spam emails. The messages claimed that they are from a transport firm, which couldn’t deliver a package. The users were asked to download the form attached and complete it to schedule a new delivery.
A couple of days before the distribution campaign started, the ransomware`s authors registered the Dutch domain name they were using for spreading the threat. Kaspersky Lab researchers say that the spam emails are also written in perfect Dutch. Moreover, the WildFire crooks even put the address of the targeted firm in the emails to easily mislead the victims that the messages are real.
The phony form which the users are supposed to download and fill for a new delivery actually contains malicious macro scripts. In order to see the content, the victim should enable the macros. Once this is done, the WildFire is downloaded and executed on the victim`s PC. The ransomware consists of three files: Ymkwhrrxoeo.png, and Iesvxamvenagxehdoj.xml and Usiyykssl.exe.
Researchers noticed that the WildFire ransomware has a lot in common with the Zyklon ransomware. They both are focused on hitting users in the Netherlands, they both use three files for the execution process and the demanded ransom sum of both is tripled after a specific period of time.
Considering that the ransomware avoids targeting users from Russia, Belarus, Latvia, Ukraine, Moldova and Estonia, researchers have a reason to assume that WildFire is an affiliate-based Ransomware-as-a-Service (RaaS) run by Russians.
Once the ransomware is executed onto the victim`s computer, it calls back to the C&C server, where information like username, IP, rid and country are kept. If the “rid” is not found or the victim lives in one of the above-mentioned countries, WildFire terminates itself. If not, it starts the encryption process using AES in CBC mode.
Researchers are convinced that this thread will continue to evolve and improve. Luckily, a free decryptor for files encrypted by WildFire is available and users can regain access to their data without paying the ransom. For now, the decryptor includes 1,600 keys for WildFire and more are about to be added soon.