Wildfire, a recently observed piece of ransomware targeting mainly users in Belgium and the Netherlands, has generated roughly $80,000 in payments for its operators in just a month, Intel Security and Kaspersky Lab researchers reveal.
The malware managed to infect over 5,300 systems within 31 days prior to Aug 23, 2016, for a total of 5,768 infections, Intel researchers say. They also note that 236 people paid the ransom, which resulted in the ransomware’s operators earning 136 Bitcoin (~$80,000) in one month.
However, the amount could have been larger, but it appears that Wildfire’s operators allowed victims to pay only one third of the demanded ransom. While the ransom note in the malware informed users that a 1.5 Bitcoin payment was necessary to regain access to the encrypted documents, most victims paid only between 0.5 and 0.6 Bitcoins, it seems.
The Wildfire ransomware is distributed via spam emails claiming that a transport company failed to deliver a package and that a form that can be downloaded which needs to be filled to schedule a new delivery.
A few days before the spam campaign started, the perpetrators registered the Dutch domain name they use for malware distribution, and the spam message is written in flawless Dutch, accorridng to Kaspersky Lab researchers. What’s more, the cybercriminals also put the address of the targeted company in the email–a tactic used to trick users into believing that the email is genuine.
The purported form the user has to download is a Word document that contains malicious macros, and the victim is prompted to enable macros to view its content. As soon as the macros are enabled, the Wildfire ransomware (consisting of three files, namely Usiyykssl.exe, Ymkwhrrxoeo.png, and Iesvxamvenagxehdoj.xml) is downloaded and executed on the victim’s computer.
Wildfire, researchers say, is very similar to the Zyklon ransomware: they both use three files, target mainly users in the Netherlands, and both increase the amount the victim has to pay three-fold after a specific period of time. According to researchers, Wildfire is most likely an affiliate-based ransomware-as-a-service (RaaS) operated by Russian criminals, given that the malware would avoid infecting users in several countries, namely Russia, Ukraine, Belarus, Latvia, Estonia and Moldova.
After infection, the ransomware calls back to the command and control (C&C) server, where information such as the IP, username, rid and country are stored. The malware terminates itself if the “rid” is not found or the victim lives in one of the blacklisted countries. Otherwise, it starts encrypting user’s files using AES in CBC mode.
Although Wildfire is a local threat, it shows a lot of dedication from its operators, and researchers say that the malware is effective and evolving. At the moment, a decryption tool is available for the ransomware’s victims, meaning that they can restore their files without paying the cybercriminals. At the moment, the tool includes 1,600 keys for Wildfire, but more will be added soon, researchers say.
Related: Cerber Ransomware-as-a-Service Generates $2.3 Million Annually: Report
Related: Shade Ransomware Updated With Backdoor Capabilities
Related: DetoxCrypto Ransomware Sends Screenshots to Operators