by_adr - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Ransomware decryption tool from Intel and Kaspersky quenches Wildfire

Intel and Kaspersky cooperate with authorities to snuff out Wildfire with a ransomware decryption tool and end the threat from a $79,000 per month campaign with over 5,000 victims.

Wildfire, a ransomware variant targeting users in Belgium and the Netherlands, has been extinguished by a joint effort from Intel Security and Kaspersky Lab. The two security firms, working together on the NoMoreRansom project, have published a ransomware decryption tool for those who were infected in the campaign. Researchers reported 5,309 systems were infected and almost 136 bitcoin were paid during the month of the campaign prior to their announcement.

The ransomware decryption tool was made available with the help of the Dutch police and the European Cybercrime Centre, according to a blog post authored by Christiaan Beek, threat intelligence research manager within Intel Security's office of the CTO, and Raj Samani, vice president and CTO for Intel Security in Europe, the Middle East and Africa.

"Wildfire has spread primarily through Dutch spam emails from transport companies, targeted at Dutch speakers," Beek and Samani wrote. "The victims were misled with a notice of a 'missed' delivery and instructions for scheduling a new delivery by filling in a 'special form' attached with the mail. This form was in fact an obfuscated dropper that infects the victims with the ransomware."

According to the report, in the prior month, Wildfire infected 5,309 systems and generated revenue of nearly 136 bitcoin -- worth about $79,000. The researchers, speculating that Wildfire could be an example of ransomware as a service, pointed out the Wildfire malware closely resembled the ransomware variant Zyklon. "It is worrisome to see large-scale extortion by ransomware made easily available to so many criminals."

"Today, however, the victims of Wildfire no longer have to face the difficult choice of either paying criminals or sacrificing their data," Beek and Samani wrote. "The availability of this decryption tool allows victims to reclaim their data without having to pay anyone. The initial tool includes 1,600 keys for Wildfire, and more will be added in the near future. This is another result of the NoMoreRansom public-private partnership."

In other news:

  • France and Germany's interior ministers joined together to call for legislation to limit the use of encryption in the EU. Bernard Cazeneuve, French interior minister, speaking at a joint press conference with his German counterpart, Thomas de Maizière, asked the European Commission to consider legislation that would require internet or telecommunications service providers to cooperate with government authorities in gaining access to encrypted data for use in court proceedings. While acknowledging the importance of the use of encryption to protect commercial exchanges, Cazeneuve specifically mentioned Telegram, the encrypted messaging app, as an example of the kind of service that should cooperate with government agencies.
  • A new proof-of-concept exploit, Sweet32, decrypts secret session cookies used in Transport Layer Security and OpenVPN protocols -- once again demonstrating that "a short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher itself," according to Karthikeyan Bhargavan and Gaëtan Leurent, researchers at INRIA, the French national research institute for computer science. They found older ciphers using 64-bit block sizes, such as Triple DES and Blowfish, are still widely used -- Blowfish being the default cipher for OpenVPN, and Triple DES currently protecting 1% to 2% of HTTPS connections with mainstream servers. The new exploit has its own website, detailing how an "attacker who can monitor a long-lived Triple DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic." The researchers' proof of concept demonstrates the attack succeeding after less than two days in which malicious JavaScript is used to generate traffic to keep the web connection alive. "Keeping a web connection alive for two days may not seem very practical, but it worked easily in the lab," Bhargavan and Leurent wrote. "Countermeasures are currently being implemented by browser vendors, OpenSSL and the OpenVPN team, and we advise users to update to the latest available versions."
  • ESET reported an Android botnet controlled through Twitter. Dubbed Android/Twitoor, it is "a backdoor capable of downloading other malware onto an infected device," ESET wrote. "It has been active for around one month. This malicious app, a variant of Android/Twitoor.A, can't be found on any official Android app store -- it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application, but without having their functionality." Lukáš Štefanko, the ESET malware researcher who discovered the malicious app, stated in the announcement: "Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet."
  • Dr.Web, the Moscow antivirus firm, reported Linux.Rex.1, a new self-spreading Linux Trojan capable of creating peer-to-peer (P2P) botnets from infected content management system (CMS) servers, such as Drupal, WordPress and others. The malware, which first surfaced on the KernelMode forum, seemed at first to be a type of Drupal ransomware. However, Dr.Web wrote, it is "a Trojan that can create such P2P botnets by implementing a protocol responsible for sharing data with other infected computers. Once the Trojan is launched, a computer that has been infected starts operating as one of this network's nodes." The botnet can be used to run distributed denial-of-service attacks, can actively scan for other vulnerable CMS servers, and it can also send messages to website owners demanding a fee to prevent a DDoS attack. Linux.Rex.1 can also scan for Wi-Fi devices running Ubiquiti Networks' airOS firmware and exploit "known vulnerabilities in order to get hold of user lists, private SSH keys and login credentials stored on remote servers."

Next Steps

Find out more about how encryption laws could affect enterprises.

Read about why the FBI believes encryption backdoors would be unnecessary if companies would comply with court orders.

Learn more about why the CIA director believes encryption backdoors would have no effect on U.S. businesses.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal