<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><img src="https://info.threatstop.com/hubfs/Missed%20Delivery.jpg" alt="Missed Delivery.jpg" style="display: block; margin-left: auto; margin-right: auto;" width="448" height="331"> <p>Ransomware operators do not usually target specific victims as a source of money, but this campaign might change that.</p> <!--more--> <p>95% of <strong>Wildfire</strong> ransomware’s targets were located in the Netherlands, according to Cisco’s Umbrella Blog. The specificity of this attack was determined by analyzing the communications of infected nodes with specific domains, particularly:</p> <ul> <li><code>exithub1[.]su</code></li> <li><code>exithub2[.]su</code></li> <li><code>exithub-pql[.]su</code></li> <li><code> exithub-xuq[.]su</code>.</li> </ul> <p>Distribution was conducted via an email phishing campaign which notified the victim of a missed package delivery. The email contained a link to download a form to reschedule the delivery. The form downloaded is a Microsoft Word document which contained malicious code which infected the victim’s computer with the <strong>WildFire</strong> <strong>Locker</strong> encryption ransomware. When opening the file, the user is prompted to "enable editing" and "enable content." After these permissions are granted, and the macro is enabled, <strong>WildFire</strong> takes control of the machine and encrypts all the files with AES-256 CBC encryption. Once all the files are encrypted, the ransomware lets the user know by a notification page, as <img src="https://info.threatstop.com/hubfs/Article%20Internal%20Images/WildFire%20Locker/WildFire%20notification%20example.png" alt="WildFire notification example.png" style="width: 258px; margin: 0px 0px 10px 10px; float: right;" width="258">demonstrated by the <a href="http://garwarner.blogspot.co.il/2016/07/kelihos-botnet-delivering-dutch.html">CyberCrime &amp; Doing Time blog</a>:&nbsp;</p> <p>Luckily, as <a href="https://blog.kaspersky.com/wildfire-ransomware-decryptor/12828/">Kaspersky reported</a> in August 2016, a collaborative effort between The National High Tech Crime Unit of the Dutch Police and Kaspersky, a decryption tool was created, and can be downloaded from the following locations:</p> <ul> <li><a href="http://nomoreransom.org/" target="_blank">nomoreransom.org</a></li> <li><a href="http://noransom.kaspersky.com/" target="_blank">noransom.kaspersky.com</a></li> <li><a href="http://support.kaspersky.com/" target="_blank">support.kaspersky.com</a></li> </ul> <p>Enabling the <strong>TSCritical</strong> targets in your user policy will add protection against WildFire to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account&nbsp; to try a demo.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our&nbsp; team.</p></span>
![Bad Domain of the Week: D-D-Don't mess with ddd[.]com](https://www.threatstop.com/hs-fs/hubfs/ddd.png?width=600&name=ddd.png)
