FireCrypt Ransomware

FireCrypt Ransomware Description

The FireCrypt Ransomware is an encryption ransomware Trojan that also includes a component used to carry out Distributed Denial of Service (DDoS) attacks. The FireCrypt Ransomware carries out a DDoS attack on a specific URL that is hard coded into the FireCrypt Ransomware. PC security analysts first detected the FireCrypt Ransomware in the last week of 2016. The FireCrypt Ransomware is distributed as a ransomware building kit. These building kits may be used by con artists to create customized ransomware Trojans by inputting their preferred basic settings and parameters into a ransomware builder. The FireCrypt Ransomware uses a command line application rather than a graphical user interface and can create numerous variants of the FireCrypt Ransomware with different settings depending on the attack.

The FireCrypt Ransomware is a Low-Level Threat

The ransomware builder used to create the FireCrypt Ransomware is known as BleedGreen, and it allows the people responsible for the FireCrypt Ransomware to create ransomware Trojans with specific file icons, names and executable. Compared to other ransomware builders, the FireCrypt Ransomware's ransomware builder is not particularly sophisticated since other ransomware builders will typically allow con artists also to change options such as the payment address, the amount of the ransom, and the email address used to contact the con artists. The FireCrypt Ransomware builder disguises the FireCrypt Ransomware's executable as a PDF or DOC file, and it alters the FireCrypt Ransomware's code slightly, allowing it to bypass many anti-virus programs. However, this method of obfuscation is very basic in the FireCrypt Ransomware's case, not making it a real threat to most commonly used anti-virus programs.

How the FireCrypt Ransomware Carries out Its Attack

The ultimate goal of the FireCrypt Ransomware is to encrypt files on the victim's computer. The FireCrypt Ransomware targets the following file types (among others):

.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .csx, .psd, .aep, .mp3, .pdf, .torrent.

Once the FireCrypt Ransomware's executable file runs, it will stop the infected computer's Task Manager and search for 20 different file types approximately and encrypt them using the AES-256 encryption. The files affected by the FireCrypt Ransomware will have the extension '.FireCrypt' added to the end of the file name, making it simple to identify which files were compromised during the attack. The FireCrypt Ransomware delivers its ransom note by dropping it on the infected computer's Desktop. The FireCrypt Ransomware's ransom note is nearly identical to the ransom note associated with Deadly for a Good Purpose Ransomware, which first appeared in October 2016. This earlier ransomware Trojan seemed to be in development and could not carry out file encryption on most affected computers. By inspecting the payment addresses and code associated with these ransomware Trojans, it is clear that the same con artists created both and there is a clear connection between these ransomware Trojan variants.

The DDoS Function Added to the FireCrypt Ransomware

Unlike most ransomware Trojans, the FireCrypt Ransomware does not stop its attack after encrypting the victim's files. The FireCrypt Ransomware also connects to a URL and downloads several files to the victim's computer. This allows the FireCrypt Ransomware to fill the Temp directory with numerous junk files downloaded from this URL. Currently, the URL being used by the FireCrypt Ransomware to host these junk files is the official portal of the Telecommunications Authority of Pakistan. These constant requests to the Pakistani government's website are deemed a 'DDoSer' by the FireCrypt Ransomware's author, although this is clearly too weak an implementation to be considered a DDoS attack. It would be necessary for thousands of computers to be infected to cause any problem on the targeted website.

Dealing with the FireCrypt Ransomware

Unfortunately, it may not be a way to decrypt the files affected by the FireCrypt Ransomware. Currently, the FireCrypt Ransomware demands a ransom of approximately $500 USD in BitCoins. PC security researchers advise against paying the FireCrypt Ransomware's ransom. Instead, backups of all files should be maintained to prevent these attacks. The files affected by the FireCrypt Ransomware can then be restored from a backup copy.

Infected with FireCrypt Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect FireCrypt Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 14 + 4 ?