Missed Delivery.jpg

Ransomware operators do not usually target specific victims as a source of money, but this campaign might change that.

95% of Wildfire ransomware’s targets were located in the Netherlands, according to Cisco’s Umbrella Blog. The specificity of this attack was determined by analyzing the communications of infected nodes with specific domains, particularly:

  • exithub1[.]su
  • exithub2[.]su
  • exithub-pql[.]su
  • exithub-xuq[.]su.

Distribution was conducted via an email phishing campaign which notified the victim of a missed package delivery. The email contained a link to download a form to reschedule the delivery. The form downloaded is a Microsoft Word document which contained malicious code which infected the victim’s computer with the WildFire Locker encryption ransomware. When opening the file, the user is prompted to "enable editing" and "enable content." After these permissions are granted, and the macro is enabled, WildFire takes control of the machine and encrypts all the files with AES-256 CBC encryption. Once all the files are encrypted, the ransomware lets the user know by a notification page, as WildFire notification example.pngdemonstrated by the CyberCrime & Doing Time blog

Luckily, as Kaspersky reported in August 2016, a collaborative effort between The National High Tech Crime Unit of the Dutch Police and Kaspersky, a decryption tool was created, and can be downloaded from the following locations:

Enabling the TSCritical targets in your user policy will add protection against WildFire to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account Sign up to try a demo.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.