WildFire Locker virus - How to remove

WildFire Locker virus

If you are a fanatic of Game of Thrones series, the word wildfire might trigger some feelings. Thrilling emotions might run down people’s spines as they remember the shocking twist in the finale of the season 6. As this episode has just recently aired, we are not going to give anything away, just a small fact: it was and is a jaw-dropping masterpiece. Probably shady programmers watch Game of Thrones as well and they decided to honor the most recent episode in a very unusual way: they have named a ransomware virus after a very important object, used in the episode. Of course, we might be over-thinking this and the name WildFire Locker virus is just a coincidence.

About WildFire Locker virus

Now, let’s start to analyze the nature of the WildFire Locker ransomware. After it has successfully leaked into your computer’s system, a real wildfire starts to usurp more and more of your data. The first thing that the WildFire Locker virus does: it reaches out to the hackers’ Command and Control servers. Why? Well, the virus transfers the infected victim’s private identification number, IP address and other information about his/her device’s operating system and data, regarding the selected security tool.

Now, the encryption process by WildFire Locker ransomware begins. This specific virus utilizes a combination of algorithms: AES 256 (Advanced Encryption Standard) and CBC (Cipher Block Chaining). These two strong ciphers make the decryption process an even more complex matter. Here’s why: a wrong attempt to decrypt files might lead to all of the files becoming permanently ruined.

The targeted files can be various: email messages, audio or video files, photos, Microsoft Office files, Adobe Reader and VM Virtual Box documents. The selected content will be identified with an extension appended to them: .wflx. So, if you had the file named mytrip.jpg, it becomes mytrip.jpg.wflx after having been corrupted. Furthermore, WildFire Locker virus creates HOW_TO_UNLOCK_FILES_README_({UNIQUE PRIVATE ID}).html and
HOW_TO_UNLOCK_FILES_README_({UNIQUE PRIVATE ID}).txt files to inform users about their situation and provide ‘comfort’ in their despair.

The URL, provided in the note from WildFire Locker ransomware, leads to the site with detailed instructions and even has a chat box, if victims wanted to directly connect with the hackers. The reply can be expected within 24 hours. However, the text file and the desktop will provide a message like this:

All your files have been encrypted by WildFire Locker
All your files have been encrypted with an unique 32 characters long password using AES-256 CBC encryption.
The only way to get your files back is by purchasing the decryption password!
The decryption password will cost $/€299.
You have untill woensdag 6 juli 2016 UTC before the price increases to $/€999!
Antivirus software will NOT be able to recover your files! The only way to recover your files is by purchasing the decryption password.
Personal ID: {random A-Z 1-9}
Visit one of the websites below to purchase your decryption password!
http://exithub1.su/{random A-Z 1-9}
http://exithub2.su/{random A-Z 1-9}
If these websites don’t work follow the steps below
1. Download the TOR Browser Bundle https://www.torproject.org/projects/torbrowser.html.en#downloads
2. Install and then open the Tor Browser Bundle.
3. Inside the Tor Browser Bundle navigate to gsxrmcgsygcxfkbb.onion/{random A-Z 1-9}

How to Decrypt Files Encrypted by WildFire Locker virus?

WildFire Locker virus demands 299 euros (or dollars) to retrieve files safe and sound. It threatens to increase the sum to 999, if people take too long to transfer the ransom. The letter from hackers consists of the information how money should be transferred. Bitcoin system is selected to complete this transaction as hackers find it a very useful utility. However, even if victims decide, out of desperation, to pay the ransom, we cannot guarantee that the encrypted files will be saved. The provided decryption key might not even work.

There does not seem to be a special file recovery for this WildFire Locker virus yet. You can try to check, if the ransomware left Shadow Volume Copies untouched and try to restore file using them. Furthermore, the back-up storages are used more and more to secure the most precious files from encryption. And lastly, universal tools for file recovery, like PhotoRec, can be employed.

How is WildFire Locker virus Distributed?

WildFire Locker ransomware uses a couple of techniques to penetrate into computer systems. Malicious files can be transferred via infected URLs or spam email attachments. Try to avoid opening content from unknown sources and be aware that even a redirection to another domain might be the method to infect computer systems with ransomware viruses. Employ anti-malware tools in order to eliminate WildFire Locker virus. Spyhunter or Hitman scanners will remove all of the malicious codes.

Update of the 5th of December, 2016. Wildfire ransomware family has been noticed to being distributed by Kelihos botnet, also known as Waledac.

How to recover WildFire Locker virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before WildFire Locker ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of WildFire Locker virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to WildFire Locker ransomware. You can check other tools here.  

Step 3. Restore WildFire Locker virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually WildFire Locker ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover WildFire Locker virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *