Wildfire Ransomware

What is Wildfire Ransomware?

The malicious Wildfire Ransomware is a threat that might lurk in your spam emails. According to Anti-Spyware-101.com ransomware researchers, this infection might be spread using a macro-embedded .docx file attached to a spam email. Unfortunately, the contents of this email might be misleading, and you could be tricked into opening the file without realizing the danger. The seemingly harmless document file can be used to download or create a malicious executable (e.g., ms.exe) that you are likely to find in the %HOMEDRIVE%\ProgramData\Memsys directory. This file runs automatically, and this is how the ransomware is launched. The malicious ransomware is dropped to the %APPDATA% directory in a folder that has 10 random characters for its name. In this folder, you are also likely to find the main executable file, a PNG file, and an XML file that is likely to be used for the collection of data. Needless to say, these are the files you need to delete to have Wildfire Ransomware removed, but the process is not as straightforward as you might think.

How does Wildfire Ransomware work?

Once launched, Wildfire Ransomware starts communicating with various domains, including exithub-pql.su, exithub-xuq.su, exithub1.su, and exithub2.su. This communication is quite aggressive, and the malicious threat can send from 100 to 5000 requests to initiate the encryption process. If the process is initiated successfully, your personal files are encrypted using the AES-256 algorithm. The files encrypted by this malicious ransomware will have the ".wflx" extension attached to them, and they are most likely to be personal, irreplaceable files, such as your photos, video files, or documents. At the same time, the threat creates an HTML file ((HOW_TO_UNLOCK_FILES_README_([Unique ID]).html) and a TXT file (HOW_TO_UNLOCK_FILES_README_([Unique ID]).txt) to introduce you to the demands. These files are placed in every location containing compromised files, and they are automatically opened once the encryption process is completed, so that you would take action immediately. According to the information within these files, you can decrypt your files only by paying a ransom, which is 299 USD/EUR. It is also stated that this sum would increase to 999 USD/EUR if it was not paid in a certain time-frame. The message also contains a “Personal ID” that cyber crooks identify you by, as well as a list of websites that you supposedly need to visit to purchase your “decryption password.” Although you can delete Wildfire Ransomware-related TXT and HTML files, this will not help with the decryption.

Needless to say, Wildfire Ransomware was created to get users to pay money, and it is very successful at doing that. Once the files are encrypted, the infection has done its job, and you can even delete it. Of course, if you do, you might lose the option to pay the ransom, and so you should not rush with this. The problem is that paying the ransom might be your only option, but doing that has its risks. Our researchers warn that plenty of ransomware victims report their files remaining locked even after they pay the ransom payments. Do you want to lose your files for nothing? Of course you do not, but this is a risk you will be facing if you agree to pay the ransom. Obviously, you do not need to make any payments if the files encrypted by this threat are not valuable to you or if you are able to restore them after cleaning your PC, for example, if you have them backed up in an external drive.

How to remove Wildfire Ransomware

Although decrypting your files might be tricky, deleting Wildfire Ransomware should not be too difficult. The main obstacle for you might be figuring out which files you need to eliminate from your PC. First of all, you need to erase the DOC file that was used to create or download the ransomware executable. Of course, this step pertains only to those who have let in this malware via a corrupted spam email attachment. Once you get rid of this file, as well as the executable, you need to erase the remaining components, including the HTML, BMP, and TXT files that represent the demands of cyber criminals. The instructions below explain the removal process one step at a time, and we are hopeful that it will not be difficult for you to follow it. If you are completely lost, utilize automated malware removal software to clean your PC and, more importantly, protect it against malware in the future. Note that you must erase this ransomware even if you manage to get your files decrypted.

Removal Instructions

1. Delete the malicious .docx file with the embedded ransomware code.
2. Launch Explorer (tap Win+E keys together).
3. Enter %HOMEDRIVE%\ProgramData\Memsys\ into the address bar at the top.
4. Right-click and Delete the file named ms.exe (might be named differently).
5. Enter %APPDATA% into the address bar.
6. Right-click and Delete the folder whose name contains 10 random characters (this folder should contain malicious .exe, .xml, and .png files with random names).
7. Right-click and Delete the WildFire V1 folder (might be named differently, but contains folders leading to the ransomware-related BMP file).

Download Removal Tool100% FREE spyware scan and
tested removal of Wildfire Ransomware*