FANDOM


WildFire Locker is a ransomware virus that employs the asymmetric AES-256 encryption algorithm to encrypt various files stored on victims' computers.

Behavior 

WildFire Locker's behavior is common to ransomware-type viruses (almost identical to Zyklon ransomware). It has no unusual specifications setting it apart from other viruses.

Payloads

During encryption, WildFire Locker changes the name of each encrypted file to the following format: Filename #WildFire_Locker#[original file name]##.[original extension].wflx Following successful encryption, WildFire Locker creates three files (.txt, .html, and .bmp) to inform users of the encryption.

Ransom demand message:

All your files have been encrypted by WildFire Locker
All your files have been encrypted with an unique 32 characters long password using 
AES-256 CBC encryption.
The only way to get your files back is by purchasing the decryption password!
The decryption password will cost $/€299.
You have untill woensdag 6 juli 2016 UTC before the price increases to $/€999!
Antivirus software will NOT be able to recover your files! The only way to recover 
your files is by purchasing the decryption password.
Personal ID: -
Visit one of the websites below to purchase your decryption password!
If these websites don't work follow the steps below
1. Download the TOR Browser Bundle hxxps://www.torproject.org/projects/torbrowser.html.en#downloads
2. Install and then open the Tor Browser Bundle.
3. Inside the Tor Browser Bundle navigate to gsxrmcgsygcxfkbb.onion/

Text presented within this site:

WildFire Locker payment page
You are able to unlock your files by paying 0.5 Bitcoins (~€297.5 / $330)
If payment is not made before 08 July 2016 09:48:04 UTC the cost of decrypting your 
files will rise to 1.5 Bitcoins (~€892.5 / $990)!
On this page you will be able to purchase the unique decryption password and 
decryption software to unlock your files.
After you have paid the requested amount in bitcoins click the confirm payment button 
at the bottom of the page and your unique decryption password will appear alongside 
a download link for the decryption software.
If you have any questions do not hesistate to contact us by clicking here.
You are able to decrypt/unlock 2 files for free by clicking here.

The bmp file states that files have been encrypted and that users must pay a ransom. The file encourages users to read the text file placed in the My Documents folder for detailed information. The text file named HOW_TO_UNLOCK_FILES_README_(victim's unique ID).txt states that the victim must pay $/€299 in Bitcoins within one week. If payment is not made within seven days, the size of ransom will increase to $/€999. After navigating to the WildFire Locker website, step-by-step payment instructions are displayed and an indication of time remaining until an increase in ransom size. 

Removal

Victims of this ransomware can use a free tool created by Kaspersky to decrypt their files free of charge.

Media

WildFire Locker Ransomware!Demonstration of attack video review

WildFire Locker Ransomware!Demonstration of attack video review.