by_adr - Fotolia
Wildfire, a ransomware variant targeting users in Belgium and the Netherlands, has been extinguished by a joint effort from Intel Security and Kaspersky Lab. The two security firms, working together on the NoMoreRansom project, have published a ransomware decryption tool for those who were infected in the campaign. Researchers reported 5,309 systems were infected and almost 136 bitcoin were paid during the month of the campaign prior to their announcement.
The ransomware decryption tool was made available with the help of the Dutch police and the European Cybercrime Centre, according to a blog post authored by Christiaan Beek, threat intelligence research manager within Intel Security's office of the CTO, and Raj Samani, vice president and CTO for Intel Security in Europe, the Middle East and Africa.
"Wildfire has spread primarily through Dutch spam emails from transport companies, targeted at Dutch speakers," Beek and Samani wrote. "The victims were misled with a notice of a 'missed' delivery and instructions for scheduling a new delivery by filling in a 'special form' attached with the mail. This form was in fact an obfuscated dropper that infects the victims with the ransomware."
According to the report, in the prior month, Wildfire infected 5,309 systems and generated revenue of nearly 136 bitcoin -- worth about $79,000. The researchers, speculating that Wildfire could be an example of ransomware as a service, pointed out the Wildfire malware closely resembled the ransomware variant Zyklon. "It is worrisome to see large-scale extortion by ransomware made easily available to so many criminals."
"Today, however, the victims of Wildfire no longer have to face the difficult choice of either paying criminals or sacrificing their data," Beek and Samani wrote. "The availability of this decryption tool allows victims to reclaim their data without having to pay anyone. The initial tool includes 1,600 keys for Wildfire, and more will be added in the near future. This is another result of the NoMoreRansom public-private partnership."
In other news:
- France and Germany's interior ministers joined together to call for legislation to limit the use of encryption in the EU. Bernard Cazeneuve, French interior minister, speaking at a joint press conference with his German counterpart, Thomas de Maizière, asked the European Commission to consider legislation that would require internet or telecommunications service providers to cooperate with government authorities in gaining access to encrypted data for use in court proceedings. While acknowledging the importance of the use of encryption to protect commercial exchanges, Cazeneuve specifically mentioned Telegram, the encrypted messaging app, as an example of the kind of service that should cooperate with government agencies.
- ESET reported an Android botnet controlled through Twitter. Dubbed Android/Twitoor, it is "a backdoor capable of downloading other malware onto an infected device," ESET wrote. "It has been active for around one month. This malicious app, a variant of Android/Twitoor.A, can't be found on any official Android app store -- it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application, but without having their functionality." Lukáš Štefanko, the ESET malware researcher who discovered the malicious app, stated in the announcement: "Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet."
- Dr.Web, the Moscow antivirus firm, reported Linux.Rex.1, a new self-spreading Linux Trojan capable of creating peer-to-peer (P2P) botnets from infected content management system (CMS) servers, such as Drupal, WordPress and others. The malware, which first surfaced on the KernelMode forum, seemed at first to be a type of Drupal ransomware. However, Dr.Web wrote, it is "a Trojan that can create such P2P botnets by implementing a protocol responsible for sharing data with other infected computers. Once the Trojan is launched, a computer that has been infected starts operating as one of this network's nodes." The botnet can be used to run distributed denial-of-service attacks, can actively scan for other vulnerable CMS servers, and it can also send messages to website owners demanding a fee to prevent a DDoS attack. Linux.Rex.1 can also scan for Wi-Fi devices running Ubiquiti Networks' airOS firmware and exploit "known vulnerabilities in order to get hold of user lists, private SSH keys and login credentials stored on remote servers."
Find out more about how encryption laws could affect enterprises.