DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:8CCD757B085926EA76FB3C014A086EFB", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Dutch, Belgian Ransomware Wildfire Disrupted, Decryption Keys Posted", "description": "The [No More Ransom initiative](<https://threatpost.com/public-private-sector-team-to-fight-ransomware/119484/>) released decryption keys for yet another strain of ransomware this week; now victims of the mostly Dutch-leaning ransomware called WildFire can get their files back without paying attackers.\n\nAccording to an update from the Dutch National Police on Wednesday, when it took down command and control server responsible for WildFire, it was able to confiscate 5,800 decryption keys\u2013including roughly 3,000 keys for Dutch infections and 2,100 for Belgian infections.\n\nWildfire, like most forms of ransomware, is spread through malicious spam emails but the difference between it and other strains is that the emails are written in \u201cflawless Dutch\u201d [according to Jornt van der Wiel](<https://securelist.com/blog/research/75842/wildfire-the-ransomware-threat-that-takes-holland-hostage/>), a security researcher with Kaspersky Lab\u2019s Global Research and Analysis Team.\n\nThe Wildfire ransomware, like similar strains GNLocker and Zyklon, have mostly been spotted targeting victims in the Netherlands and Belgium. The attackers behind WildFire rely on a phony Dutch domain and actually put the address of the targeted company in the e-mail, something that\u2019s rarely done and increases the likeliness someone opens it, van der Wiel said.\n\nThe emails purportedly come from a transport company that\u2019s attempting to deliver a package. Victims are encouraged to schedule a new delivery by filling out a document. The documents, hosted on the suspicious-looking Dutch domain, are naturally laden with macros, which once enabled, download and execute the ransomware.\n\nWildFire goes on to encrypt users\u2019 files with AES in CBC mode, and in most instances, asks users for \u20ac299 Euro to decrypt them. If a user waits too long \u2013 eight days usually \u2013 the price inflates to \u20ac999 Euro.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/08/06233955/wildfire.png>)\n\nBy working alongside the Dutch National Police, van der Wiel was able to analyze code belonging to the ransomware\u2019s botnet panel and determine that WildFire doesn\u2019t infect machines based in Russia, Ukraine, Belarus, Latvia, Estonia, or Moldova, likely as an effort to keep attention away from local authorities there.\n\nEven without those countries as targets, the ransomware has been successful; over the course of a month there have been more than 5,700 infections. Of those infections, 236 users paid roughly $78,700 USD, or \u20ac70,000 Euro. If the attackers had managed to carry the campaign on, they could have netted $80,000 a month.\n\nOver the last few weeks, the ransomware has targeted individuals in the Netherlands 50 percent of the time and citizens in Belgium 36 percent of the time. Going forward, victims infected by the ransomware will be redirected to NoMoreRansom.org and given instructions on how to decrypt their files.\n\nThe [No More Ransom](<https://threatpost.com/public-private-sector-team-to-fight-ransomware/119484/>) initiative was launched last month in hopes of better educating consumers of the perils of ransomware. The project, collaboratively backed by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab, has also become a destination for ransomware decryption keys, including, in addition to WildFire, Chimera, Teslacrypt, Shade, and another variant that targeted the Netherlands, CoinVault.\n\nIt was almost [a year ago](<https://threatpost.com/dutch-police-arrest-alleged-coinvault-ransomware-authors/114707/>) when the Dutch National High Tech Crime Unit enlisted the help of Kaspersky Lab researchers and arrested two individuals from the Netherlands behind the CoinVault campaign. Like Wildfire, the attackers behind CoinVault used flawless Dutch phrases, a telltale sign there was a Dutch connection.\n\n\u201cThe seizure of the Wildfire decryption keys proves again that fighting cybercrime, especially ransomware, is more successful through collaboration,\u201d John Fokker, the Digital Team Coordinator of the Dutch National High Tech Crime Unit said Wednesday, \u201cThe Dutch police will strive to help ransomware victims by investigating ransomware cases, take down criminal infrastructure and distributing decryption keys.\u201d\n", "published": "2016-08-24T12:57:35", "modified": "2016-08-24T18:18:34", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/wildfire-ransomware-campaign-disrupted/120095/", "reporter": "Chris Brook", "references": ["https://threatpost.com/public-private-sector-team-to-fight-ransomware/119484/", "https://securelist.com/blog/research/75842/wildfire-the-ransomware-threat-that-takes-holland-hostage/", "https://media.threatpost.com/wp-content/uploads/sites/103/2016/08/06233955/wildfire.png", "https://threatpost.com/public-private-sector-team-to-fight-ransomware/119484/", "https://threatpost.com/dutch-police-arrest-alleged-coinvault-ransomware-authors/114707/"], "cvelist": [], "immutableFields": [], "lastseen": "2018-10-06T22:54:52", "viewCount": 3, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "cisa", "idList": ["CISA:17ECE93409F2BF9846D576277DA8717C", "CISA:452D43AC6599B76DF22B4805470283C8", "CISA:8FAFD5A4573898E60D59E0AE79D28E99"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_810DF820366411E18FE300215C6A37BB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:133661576C10537D516BAA749247CC8E"]}]}, "exploitation": null, "vulnersScore": 0.8}, "_state": {"dependencies": 1678917980, "score": 1678916296, "epss": 1678938645}, "_internal": {"score_hash": "ba71e6421dd18bf61691f79e28415379"}}

{}