FANDOM


FireCrypt is a ransomware that encrypts the user's files, but also attempt to launch a very feeble DDoS attack on a URL hardcoded in its source code.

Payload

FireCrypt's builder is named BleedGreen, and allows the FireCrypt author to generate a unique ransomware executable, give it a custom name, and use a personalized file icon. Compared to other ransomware builders, this is a very low-end application. Similar builders usually allow crooks to customize a wider set of options, such as the Bitcoin address where to receive payments, the ransom demand value, contact email address, and more.

The builder's role, besides disguising an EXE file under a PDF or DOC icon, is also to slightly alter the ransomware's binary, in order to generate a file with a different hash at every new compilation.

The technique is often used by malware developers to create so-called "polymorphic malware" that's harder to detect by standard antivirus software.

The FireCrypt infection process hinges on the ransomware's distributor's ability to trick users in launching the EXE file they just generated.

Once this happens, FireCrypt will kill the computer's Task Manager (taskmgr.exe) and begin to encrypt a list of 20 file types. FireCrypt encrypts files with the AES-256 encryption algorithm.

All encrypted files will have their original file name and extension appended with ".firecrypt". For example, a file named photo.png will be renamed into photo.png.firecrypt.

Once the file encryption process ends, FireCrypt drops its ransom note on the user's Desktop.

After dropping the ransom note, FireCrypt doesn't stop its malicious behavior. Its source code contains a function that continuously connects to a URL, downloads its content and saves it to disk in a file in the %Temp% folder, named [random_chars]-[connect_number].html. If users aren't aware of this function, FireCrypt will quickly fill the %Temp% folder up with junk files. 

The FireCrypt author calls this feature as a "DDoSer," but this would be a stretch. The crook would have to infect thousands of victims before launching a DDoS attack large enough to cause any problems to the Authority's website.

The files FireCrypt targets:

.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, 
.htm, .csx, .psd, .aep, .mp3, .pdf, .torrent

Files associated with FireCrypt ransomware:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\[random_chars].exe - Startup Executable
%Desktop%\[random_chars]-READ_ME.html - Ransom Note
%AppData%\SysWin32\files.txt - List of Encrypted Files
%Desktop%\random_chars]-filesencrypted.html - List of Encrypted Files
%Temp%\random_chars]-[connect_number].html - Files downloaded during the DDoS attack
Community content is available under CC-BY-SA unless otherwise noted.