Threat Database Ransomware FireCrypt Ransomware

FireCrypt Ransomware

By GoldSparrow in Ransomware

The FireCrypt Ransomware is an encryption ransomware Trojan that also includes a component used to carry out Distributed Denial of Service (DDoS) attacks. The FireCrypt Ransomware carries out a DDoS attack on a specific URL that is hard coded into the FireCrypt Ransomware. PC security analysts first detected the FireCrypt Ransomware in the last week of 2016. The FireCrypt Ransomware is distributed as a ransomware building kit. These building kits may be used by con artists to create customized ransomware Trojans by inputting their preferred basic settings and parameters into a ransomware builder. The FireCrypt Ransomware uses a command line application rather than a graphical user interface and can create numerous variants of the FireCrypt Ransomware with different settings depending on the attack.

The FireCrypt Ransomware is a Low-Level Threat

The ransomware builder used to create the FireCrypt Ransomware is known as BleedGreen, and it allows the people responsible for the FireCrypt Ransomware to create ransomware Trojans with specific file icons, names and executable. Compared to other ransomware builders, the FireCrypt Ransomware's ransomware builder is not particularly sophisticated since other ransomware builders will typically allow con artists also to change options such as the payment address, the amount of the ransom, and the email address used to contact the con artists. The FireCrypt Ransomware builder disguises the FireCrypt Ransomware's executable as a PDF or DOC file, and it alters the FireCrypt Ransomware's code slightly, allowing it to bypass many anti-virus programs. However, this method of obfuscation is very basic in the FireCrypt Ransomware's case, not making it a real threat to most commonly used anti-virus programs.

How the FireCrypt Ransomware Carries out Its Attack

The ultimate goal of the FireCrypt Ransomware is to encrypt files on the victim's computer. The FireCrypt Ransomware targets the following file types (among others):

.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .csx, .psd, .aep, .mp3, .pdf, .torrent.

Once the FireCrypt Ransomware's executable file runs, it will stop the infected computer's Task Manager and search for 20 different file types approximately and encrypt them using the AES-256 encryption. The files affected by the FireCrypt Ransomware will have the extension '.FireCrypt' added to the end of the file name, making it simple to identify which files were compromised during the attack. The FireCrypt Ransomware delivers its ransom note by dropping it on the infected computer's Desktop. The FireCrypt Ransomware's ransom note is nearly identical to the ransom note associated with Deadly for a Good Purpose Ransomware, which first appeared in October 2016. This earlier ransomware Trojan seemed to be in development and could not carry out file encryption on most affected computers. By inspecting the payment addresses and code associated with these ransomware Trojans, it is clear that the same con artists created both and there is a clear connection between these ransomware Trojan variants.

The DDoS Function Added to the FireCrypt Ransomware

Unlike most ransomware Trojans, the FireCrypt Ransomware does not stop its attack after encrypting the victim's files. The FireCrypt Ransomware also connects to a URL and downloads several files to the victim's computer. This allows the FireCrypt Ransomware to fill the Temp directory with numerous junk files downloaded from this URL. Currently, the URL being used by the FireCrypt Ransomware to host these junk files is the official portal of the Telecommunications Authority of Pakistan. These constant requests to the Pakistani government's website are deemed a 'DDoSer' by the FireCrypt Ransomware's author, although this is clearly too weak an implementation to be considered a DDoS attack. It would be necessary for thousands of computers to be infected to cause any problem on the targeted website.

Dealing with the FireCrypt Ransomware

Unfortunately, it may not be a way to decrypt the files affected by the FireCrypt Ransomware. Currently, the FireCrypt Ransomware demands a ransom of approximately $500 USD in BitCoins. PC security researchers advise against paying the FireCrypt Ransomware's ransom. Instead, backups of all files should be maintained to prevent these attacks. The files affected by the FireCrypt Ransomware can then be restored from a backup copy.

Related Posts

Trending

Most Viewed

Loading...