WildFire Locker Help Topic - HOW_TO_UNLOCK_FILES_README_(6de99ef7c7) .wflx

3 Hours ago I noticed this terrible problem so of course I'm now trying to find a solution to get my files back without paying. I haven't made any backup unfortunately

 

Is there any progress here?

 

My .png file is named: "uhaesdfvbg" and is not encrypted (still a png file).

 

 

Also do you get your files back when you pay? I saw one person got his files back but I'm worried that this is not always the case.

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cybercriminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

• K7 Computing: Why You Should Not Pay That Ransom Demand
• Avira: CyptoLocker-style File Encryptors Should you pay the ransom?
• Kaspersky Lab: To pay or not to pay the dilemma of ransomware victims
• Kaspersky Blog: TeslaCrypt: Round Three
• Ask Leo: Decrypting files encrypted by ransomware...should you pay?

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

...Though the loss of your data and computer can be devastating, sending the ransom could be even more so. Depending on how the criminals want you to pay the ransom could put you at risk for Identity Theft as the information you send may contain personal information. Therefore, we suggest that you never pay a ransom unless it is absolutely necessary for data recovery...Last, but not least, it is important to remember that paying the ransom only continues to fuel the release of new variants of these types of programs.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber criminals did not provide a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Keep this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful.

With that said...We understand some folks may feel they have no other alternative but to take a chance and pay the ransom in hopes of recovering irreplaceable photos and other personal or important data. That is a choice and a decision each affected victim will have to make for themselves. We will not make any judgments for doing so.

3 Hours ago I noticed this terrible problem so of course I'm now trying to find a solution to get my files back without paying. I haven't made any backup unfortunately
 
Is there any progress here?
 
My .png file is named: "uhaesdfvbg" and is not encrypted (still a png file).
 
 
Also do you get your files back when you pay? I saw one person got his files back but I'm worried that this is not always the case.

We've found that "PNG" is actually an XOR'd executable - and is the actual encryptor code (further obfuscated).

I'm afraid we confirmed this is a variant of Zyklon, and has the exact same encryption/keygen code. It retrieves a key from the C2 server, so no keys are generated in the malware itself, which removes one possible way of attacking it at this point. The numbers in the filenames are actually the first 5 characters of said password, but we have no way of guessing the remaining part (I think the whole password was atleast 32 or 64 characters, can't confirm while mobile - either way, way too long to bruteforce). The numbers are actually the first 6 characters of a SHA1 of the password (32-characters), still not particularly helpful.

Afraid there is no way of decrypting this one at this time. If you decide to pay the ransom, the decrypter they provide appears to be functional (at this time from the sample we tore apart, of course it could change, so proceed with caution). This of course still goes on the assumption that the criminals will give you the key. If they give you a handful of keys (previous Zyklon victims found the criminals couldn't determine exactly which password was right for some reason, I'm assuming a collision of PC names in their database), you can simply match it with the "ID" in the filenames as stated above (first 5 characters).

Edited by Demonslay335, 12 July 2016 - 09:07 AM.

I also got infected by wildfire 2 days ago and decided to take a chance and pay the ransom because I didn't have any backups....

 

They actually delivered the decrypter and 3 passwords. I was curious as to why there were multiple passwords so I asked them on the helpdesk. They told me it was because the ransomware generates a new password on every reboot.

 

@Demonslay335 The characters in the filename are not actually part of the password (at least not with me) and there were 6 characters in the filename. The passwords are 32 characters

 

Anything I can do to help? Do you already have a copy of the decrypter?

@Dozi_3

 

I could be a little off, I was summarizing from my phone. In the source code, it does use part of the password in the filename in the sample we reversed, which is similar to Zyklon's behaviour. Could be different variation or something. We do have a sample of the decrypter, thanks.

 

If you don't mind, you could PM me a few encrypted files and the passwords they provided just to confirm a few things.

@Dozi_3

 

I could be a little off, I was summarizing from my phone. In the source code, it does use part of the password in the filename in the sample we reversed, which is similar to Zyklon's behaviour. Could be different variation or something. We do have a sample of the decrypter, thanks.

 

If you don't mind, you could PM me a few encrypted files and the passwords they provided just to confirm a few things.

 

PM has been sent

I reinstalled windows on my computer because my computer didn't do much anymore. He started no programs nomore. I put all the drcrypted files on USB's. Dropbox from school from my son is also infected. The other students can't use the files anymore. I uploaded an infected files just now. I hope that there will be a solution soon,

I reinstalled windows on my computer because my computer didn't do much anymore. He started no programs nomore. I put all the drcrypted files on USB's. Dropbox from school from my son is also infected. The other students can't use the files anymore. I uploaded an infected files just now. I hope that there will be a solution soon,

Dropbox has Previous Versions you can use to revert that data. There is a guide on BleepingComputer on how to use it, and how to use a Pythons script for restoring multiple files at a time (Dropbox's website only lets one at a time...). I'd link but I'm mobile, should be a short Google search away.

Hi All,

 

Is there already a solution to decrypt files encrypted by WildFire Locker?

 

Kind regards,

 

Peter Nijhuis

Hi All,

 

Is there already a solution to decrypt files encrypted by WildFire Locker?

 

Kind regards,

 

Peter Nijhuis

 

Please see my analysis above: http://www.bleepingcomputer.com/forums/t/618641/wildfire-locker-help-topic-how-to-unlock-files-readme-6de99ef7c7-wflx/?p=4037333

 

There is no way to decrypt this ransomware. It is a variant of Zyklon, which retrieves the key from the server and uses secure encryption on files.

Hi all,

 

I have had this problem for almost 4 to 5 hours now, and after a few hours I'd bought the key to decrypt all of my files.

Problem: essentials cut out the download file so I do not have the wildfire-decrypter.exe. 

Does anyone know how I can obtain the file again?

 

Kind regards,

For futher a do:

I do have the key though..

Hello

 

I had the same locker virus on my pc.

I saved the key but dit not download the dewildfire-decrypter.exe file and now the link does not work anymore.\

So I cannot download the file anymore.

Can someone mail me the link or file?

 

Thanks. Regards Qui

This is the answer from kaspersky:

 

Onze virus-analisten hebben ons laten weten dat uw bestanden versleuteld zijn door het virus Trojan-Ransom.MSIL.Cyclone en dat zij helaas niet in staat zijn om ze te ontcijferen.

Dat betekent praktisch dat wij niets meer voor u kunnen doen, behalve u adviseren de bestanden te bewaren omdat de verwachting bestaat dat over een jaar of vijf dit soort encrypties wel te ontcijferen zullen zijn. Wij raden u daarom evenzeer aan om met enige regelmaat de website met de tools te controleren. Als er nieuwe methoden zijn gevonden worden die tools namelijk bijgewerkt

 

The files are decrypted with Trojan-Ransom.MSIL.Cyclone. They are not able to help me yet. Their advise is to save the files on an usb of something else because they maybe able the encrypt them in the future!

Oops, 5 years... no further options as I tried Shadow Explorer and Recuva. Stupid mistake.. busy for 2 days trying to recover the files. no luck and understand from this topic there is no solution.. Go on vacation now for 5 years ;-)