Intel and Kaspersky researchers developed a free decryption tool for victims of the Wildfire variant of ransomware.
Wildfire is classified as a “local threat” as it targeted users in Belgium and the Netherlands with malicious emails disguised as missed package delivery notifications containing instructions on how to schedule a new delivery by filling out a “special form,” which actually contains the malware.
Kaspersky researchers observed more than 5,700 infections and said 236 users paid a total of almost $78,869.00 (70,000 Euro) in order to retrieve their files although researchers noted some users may have negotiated their payments down, according to an Aug. 23 Kaspersky blog post.
“The e-mails are really well crafted with the address of the receiver embedded into it,” Kaspersky Security Researcher Jornt van der Wiel told SCMagazine.com via emailed comments. “Also, due to our cooperation with the police, we know exactly how many infections there are and how many people paid.”
He said that there are similarities between Zyklon and Wildfire ransomware including the fact that both variants targeted The Netherlands and the ransom notes were alike. There was some Russian text in the Zyklon decryption tool that was provided to victims by the cybercriminals and researchers suspect there might be a Dutch-speaking person involved in the Wildfire campaign because the spam emails were in perfect Dutch, van der Wiel said.
Although the bloggers didn't attribute the campaign to any specific group, but Kaspersky researchers noted the malware didn't affect users in several countries including Russia, Ukraine, Belarus, Latvia, Estonia and Moldova.
This ransomware campaign is unique because of how targeted the attacks were, Intel Security CTO Raj Samani told SCMagazine.com via emailed comments.
“They are conducting an element of research into their victims which is an evolution from the scattergun approach we have been used to,” Samani said.