Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


WildFire Locker Ransomware – Remove It And Restore .wflx Files

note-sensorstechforum-wildfire-ransomwareA virus known as WildFire Locker has been reported to begin impacting users on a serious scale, encrypting files and adding a .wflx extension after their original ones. By doing so, the WildFire Locker virus denies access to users and leaves instructions in which it demands the sum of 299 euros or US dollars. Users who have been infected by this nasty virus should immediately remove it instead of following the instructions In its ransom note. We strong recommend reading this article if you want to learn how to easily remove WildFire Locker yourself and try to restore your files.

UPDATE! A decryptor has been released for the victims of WildFire Locker ransowmare. We have created instructions on how to decrypt your files for free. You can find them on the following link.

Threat Summary

Name

WildFire Locker

Type Ransomware
Short Description Encrypts files asking for 299 USD or EUR in ransom payoff to decode them.
Symptoms The user may witness a ransom note as a wallpaper, html file and a .txt document. Files are appended .wflx file extension.
Distribution Method Via an Exploit kit, JavaScript or a Trojan.
Detection Tool See If Your System Has Been Affected by WildFire Locker

Download

Malware Removal Tool

User Experience Join our forum to Discuss WildFire Ransomware.

WildFire Locker – Infection Mechanism

To infect users successfully, WildFire Locker uses advanced techniques to spread its malicious files across computers. Those techniques may include the usage of either malicious URLs or malicious files uploaded as attachments. Some of the most preferred techniques used by cyber-criminals to infect users are:

  • Malicious JavaScript.
  • Browser redirects.
  • Exploit Kit Attacks.

The cyber-criminals also take advantage of massive spam campaigns which may include the usage of spamming software on different places:

  • E-mails.
  • Social media.
  • Forums and other websites which include user comments.

WildFire Ransomware In Depth

After a successful infection is confirmed, WildFire ransomware may connect to the C&C (Command and Control) server of the cyber-criminals and send the following information to the crooks:

  • Private identification number.
  • IP Address and other system information.
  • Operating system and security software information.

After doing so, this virus may drop several files onto the infected computer, main of which may be its ransom note files and the malicious executable associated with it:

  • HOW_TO_UNLOCK_FILES_README_({UNIQUE PRIVATE ID}).html
  • HOW_TO_UNLOCK_FILES_README_({UNIQUE PRIVATE ID}).txt
  • C:/Users/{User’s Profile}/Local/…/{malicious executable}.exe

WildFire ransomware also has a wide variety of extensions which it is pre-programmed to scan for and encrypt. They are associated primarily with the following types of files:

  • E-mail messages.
  • Videos.
  • Pictures.
  • Audio files.
  • Microsoft Office Documents.
  • Adobe Reader Documents.
  • VM Virutal Box Documents.

In addition to that, WildFire Ransomware also may modify the following registry entry to change the default wallpaper of the user PC:

HKEY_CURRENT_USER\Control Panel\Desktop with value “Wallpaper = {location of the ransom note background image}”

The message on both the .txt file and the wallpaper image is the following:

→ “All your files have been encrypted by WildFire Locker
All your files have been encrypted with an unique 32 characters long password using AES-256 CBC encryption.
The only way to get your files back is by purchasing the decryption password!
The decryption password will cost $/€299.
You have untill woensdag 6 juli 2016 UTC before the price increases to $/€999!
Antivirus software will NOT be able to recover your files! The only way to recover your files is by purchasing the decryption password.
Personal ID: {random A-Z 1-9}
Visit one of the websites below to purchase your decryption password!
http://exithub1.su/{random A-Z 1-9}
http://exithub2.su/{random A-Z 1-9}
If these websites don’t work follow the steps below
1. Download the TOR Browser Bundle https://www.torproject.org/projects/torbrowser.html.en#downloads
2. Install and then open the Tor Browser Bundle.
3. Inside the Tor Browser Bundle navigate to gsxrmcgsygcxfkbb.onion/{random A-Z 1-9}

Regarding encryption, WildFire uses a very strong encryption, called AES (Advanced Encryption Standard) which is 256 bits in strength. In addition to this cipher, the WildFire ransomware also uses a CBC (cipher block chaining) to additionally sophisticate the situation for the user and make direct decryption risky.

The encoded files by WildFire ransomware have the following file extension:

→ A Document.pdf.wflx

In addition to that, WildFire also leaves an HTML file which points to payment instruction pages reported to look like the following:
note-pay-sensorstechforum.com

The WildFire Locker payment platform also has something very interesting – direct chat communication with the cyber-criminals:

helpdesk-wildfire-ransomware-sensorstechforum

Remove WildFire Ransomware and Try to Get Back Encrypted Files

WildFire ransomware virus is malware which may prove to be tricky for removal because it may have multiple copies, fail-safe mechanisms and other settings that may prevent it from being removed or cause damage to Windows on deletion.

This is why security experts recommend deleting all files and registries associated with this virus thoroughly. In case you are having difficulty doing this manually, experts strongly advise users to remove this virus automatically using an advanced anti-malware program. This will assist In deleting all associated objects as well as protect you in the future.

Manually delete WildFire Locker from your computer

Note! Substantial notification about the WildFire Locker threat: Manual removal of WildFire Locker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove WildFire Locker files and objects
2. Find malicious files created by WildFire Locker on your PC
3. Fix registry entries created by WildFire Locker on your PC

Automatically remove WildFire Locker by downloading an advanced anti-malware program

1. Remove WildFire Locker with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by WildFire Locker in the future
3. Restore files encrypted by WildFire Locker
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.