Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WildFire Locker Help Topic - HOW_TO_UNLOCK_FILES_README_(6de99ef7c7) .wflx


  • Please log in to reply
70 replies to this topic

#1 michelmau5

michelmau5

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 30 June 2016 - 06:45 AM

Decrypter for this ransomware can be found here.

 

 

 

Hello,
 
One of our clients just got the WildFire_Locker, I can't find anything about it and Malwarebytes doesn't even find it...
 
The files look like 'Filename #WildFire_Locker#be8c3f##.doc.wflx'
 
Here is what I got:
 
The HOW_TO_UNLOCK_REAME file:

Spoiler

 
The BMP:
Spoiler

 
The .exe causing it was located in C:/User/AppData/Local/Temp and  C:/User/AppData/Local/Roaming/lbixaobjjsr
 
I also have the .exe and I have a locked file if you want that for research.


Edited by xXToffeeXx, 24 August 2016 - 11:02 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:51 AM

Posted 30 June 2016 - 06:52 AM

I also have the .exe and I have a locked file if you want that for research.


You can upload the executable and a locked file (as well as a ransom note if you wish) at the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=3

Experts (like Grinler, BloodDolly, demonslay, Fabian, etc.) will have access to it.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 michelmau5

michelmau5
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 30 June 2016 - 07:01 AM

 

I also have the .exe and I have a locked file if you want that for research.


You can upload the executable and a locked file (as well as a ransom note if you wish) at the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=3

Experts (like Grinler, BloodDolly, demonslay, Fabian, etc.) will have access to it.

 

 

I submitted the files!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:51 AM

Posted 30 June 2016 - 09:58 AM

Thanks, we will be taking a look at this soon. I did see submissions for this on ID Ransomware lately, was hunting for a sample.

 

We'll let you know what we find once it has been deobfuscated.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:51 AM

Posted 30 June 2016 - 12:41 PM

Can you look for the following file on the infected system?

 

Vmbulmigrmk.png

 

It may be under AppData\Local\Temp.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 michelmau5

michelmau5
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 01 July 2016 - 01:54 AM

Can you look for the following file on the infected system?

 

Vmbulmigrmk.png

 

It may be under AppData\Local\Temp.

 

I will contact my client later today and search for that file.

Is there anything else I should look out for?



#7 Vince7

Vince7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 July 2016 - 04:09 AM

Can you look for the following file on the infected system?

 

Vmbulmigrmk.png

 

It may be under AppData\Local\Temp.

 

i have this file. same folder as virus .exe in appdata folder

i paid for decryption. files are very important for me

i got file wildfire-decrypter.exe and 1 password

decrypt works so i am happy i got all files back working

 

do u want wildfire-decrypter.exe file? where do i send too?



#8 michelmau5

michelmau5
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 01 July 2016 - 05:04 AM

Can you look for the following file on the infected system?

 

Vmbulmigrmk.png

 

It may be under AppData\Local\Temp.

 

I do got the file but ofcourse it is encrypted..

 

 

i have this file. same folder as virus .exe in appdata folder

i paid for decryption. files are very important for me

i got file wildfire-decrypter.exe and 1 password

decrypt works so i am happy i got all files back working

 

do u want wildfire-decrypter.exe file? where do i send too?

 

You can upload the files at http://www.bleepingcomputer.com/submit-malware.php?channel=3



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:51 AM

Posted 01 July 2016 - 05:23 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Vince7

Vince7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 July 2016 - 05:31 AM

thanks

 

Vmbulmigrmk.png also encrypted on me. will upload when finish decrypting

uploaded wildfire-decrypter.exe



#11 michelmau5

michelmau5
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 04 July 2016 - 07:15 AM

Another client just got Infected with wildfire, Anti-malwarebytes still didn't find it...

 

Also now I got the email the virus came with


Edited by michelmau5, 04 July 2016 - 07:16 AM.


#12 tanjahof

tanjahof

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 04 July 2016 - 08:32 AM

I've also been infected/encrypted. I uploaded one of my encrypted files.

Hopefully you crack the code because my whole computer is infected (including files from my colleagues). 



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:51 AM

Posted 05 July 2016 - 02:45 PM

thanks

 

Vmbulmigrmk.png also encrypted on me. will upload when finish decrypting

uploaded wildfire-decrypter.exe

 

Any chance you have that decrypted version of the Vmbulmigrmk.png?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 michelmau5

michelmau5
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 06 July 2016 - 02:14 AM

 

thanks

 

Vmbulmigrmk.png also encrypted on me. will upload when finish decrypting

uploaded wildfire-decrypter.exe

 

Any chance you have that decrypted version of the Vmbulmigrmk.png?

 

 

Hey Demon

 

The second infection I saw didn't have Vmbulmigrmk.png but Omkwhrrxoeoaonms.png

and it was not encrypted.. Will upload now.



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:51 AM

Posted 06 July 2016 - 08:18 AM

Hey Demon
 
The second infection I saw didn't have Vmbulmigrmk.png but Omkwhrrxoeoaonms.png
and it was not encrypted.. Will upload now.


Thanks. We were able to locate another sample of the malware that uses that filename (and had the exact same PNG in the payload), so it will be going under analysis soon.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users