WildFire

WildFire, previously known as Zyklon and GNL, targets Windows OS and is distributed via spam emails containing malicious Word documents sent by the Kelihos botnet. Once a system is infected by WildFire, it will attempt communication with one of four C2 servers before proceeding with the encryption process. Wildfire developers claim to use AES-256 encryption and a 32-character long password to prevent victims from accessing their files. Appended filenames associated with WildFire and previous strains include .locked and .zyklon. The ransom payment demand for WildFire is $299 USD but threatens to increase the price to $999 USD after the specific date listed on the ransom note.

UPDATE 10/5/2016: WildFire has been rebranded as Hades Locker. This new version deletes Shadow Volume Copies to prevent file restoration and appends .~HL to the names of encrypted files. There is no free decryption tool available for Hades Locker at this time.

UPDATE 2/9/2017: A new version, dubbed Serpent, was discovered by Proofpoint and is being distributed via spam emails containing malicious attachments. It is currently only targeting Danish victims but has the ability to expand its reach as it can detect the location of infected systems. It encrypts files using AES-256 and appends .serpent to encrypted file names. It also deletes Shadow Volume Copies and uses the cipher.exe command to overwrite deleted data to prevent file restoration by the victim. It maintains persistence by creating a VBS file in the Startup folder. The ransom note is dropped as both a text file and an HTML file with the following naming convention: HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars]. The ransom payment demand is .75 Bitcoin but Serpent threatens to increase the amount to 2.25 Bitcoin after 7 days of non-payment. There is currently no free decryption tool available for Serpent.

UPDATE 4/9/2017: A new variant of the Serpent version of WildFire/Hades Lockerwas seen appending .serp to encrypted file names and dropping a ransom note named README_TO_RESTORE_FILES<rand>.txt.

  • Cisco provides more information about WildFire here.
  • McAfee provides a free decryption tool for WildFire, available here.
  • Kaspersky provides a free decryption tool for WildFire, available here.