Delete WildFire Locker encryption trojan and dectypt .wflx data

WildFire Locker (.wflx file extension) is a piece of ransomware that hits users worldwide. It keeps operating systems available for access but applies a malicious encryption so that the victims cannot read most of the files. Moreover, the rogue scrambles file names. The victims cannot tell one piece of data from another.

The rogue has been around for quite a while. First IT security reports on the ransomware release dates back to the middle of June.
A number of infection vectors contribute to the success of the propagation. Some are rather region-specific. A good example would be a message composed in Dutch. It originates from the infamous Kelihos botnet. The scam used to push a Canadian pharma. A typical letter composed in Dutch would say the driver has failed to deliver a parcel. It prompts a user to create a new appointment by downloading and completing the form. The download triggers the ransomware installation instead. Again, the above infection vector originally spammed a pharma advertisement.

Once the invasion has completed the ransomware reports to remote server. IT security managed to intercept part of the communication. Unfortunately, the interception did not prevent delivery to the addressee. The remote server managed to dispatch further instructions for the compromised machines.
Nevertheless, the data enables to judge on the traffic origin. It shows most of the machines affected (up to 95%) reside in the Netherlands and Belgium.
It is not that WildFire Locker is a Dutch virus. The point is the distributors take hold of the propagation network that targets the corresponding region.
AES -256 CBC encryption launched by the ransomware is strong enough to withstand a straightforward attack. The infection avoids certain data formats. In particular, it omits system files so that your operating system may run. The hackers do not want that because they are so nice guys: unless the system operates, the victims are less likely to read the ransom note.

Wildfire ransomware note:

All your files have been encrypted by WildFire Locker
All your files have been encrypted with an unique 32 characters long password using AES-256 CBC encryption.
The only way to get your files back is by purchasing the decryption password!
The decryption password will cost $/€299.
You have untill woensdag 6 juli 2016 UTC before the price increases to $/€999!
Antivirus software will NOT be able to recover your files! The only way to recover your files is by purchasing the decryption password.
Personal ID: –
Visit one of the websites below to purchase your decryption password!
If these websites don’t work follow the steps below
1. Download the TOR Browser Bundle hxxps://
2. Install and then open the Tor Browser Bundle.
3. Inside the Tor Browser Bundle navigate to gsxrmcgsygcxfkbb.onion/

WildFire Locker ransom note

WildFire Locker ransom note

The letter addresses its readers in English. That further proves the infection does not aim at Dutch audience by design. It just happens to be very widespread there.
The message scares the victims to pay for the decryption key. The initial amount is $/€ 299. Unless paid within a week, the amount is to reach the threshold of 1000 euro or dollar. In fact, the ransom is payable in bitcoins. Most likely, the amounts in fiat currency are rather indicative and subject to the relevant rate of exchange.

WildFire Locker payment information

WildFire Locker payment information

More techie insight into the ransomware drops a hint on its attribution. A victim would go through the two stages of ransom notification. The first one is available as a bmp, HTML and txt file loaded onto the computer. The last one is the webpage the first one refers to. It is available online so that anyone can view its code (HTML source). The code contains some
The removal of WildFire Locker does not automatically recover the data affected. However, it is a must-have stage. Failure to remove WildFire Locker allows the ransomware to strike again at the time scheduled by the remote server.
That does not mean you should abandon the recovery. A comprehensive guidance to the WildFire Locker ransomware extermination and data restoration follows.

Automated cleanup to remove .wflx file extension trojan

Infection vector for ransomware typically features a trojan. The one in question definitely subscribes to that routine. The trojan drops its body into target computer and proceeds with disabling the detecting functionality of any security solution installed. The antivirus is thus unable to spot introduction of virus from the remote server.
The ransomware invasion is indicative of its dropper residing in the computer memory. It also hints at other invasions. The PC can hardly be considered properly protected due to the impacts of the above trojan.
Ultimate option implies a total formatting for any drives of your PC. That is not an option for many users, for it destroys all the data hosted by the machine. The best solution to pick would be in-depth system examination with a reliable security suite.
The trojan that has installed WildFire Locker, unless removed, is to trigger its installation campaign as soon as a new strain of ransomware is available. Thereby, it is critical to kill it as soon as possible.

The technique successfully overcomes malicious software, including any ransoming threats. It deploys a reputable security suite that offers not a single chance for malicious components to avoid detection and extermination. The software is incredibly user-friendly and operates on a single-click basic.

It is good to note the removal of WildFire ransomware does not recover the data affected. However, the virus is subject to compulsory extermination or else is going to introduce related infections into the machine.

1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan

2. Wail until the cleaner checks the PC for WildFire ransomware files malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.

Restore the encrypted files

WildFire Locker encryption (.wflx) is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either.Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.

Data recovery with automatic software

Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as  Data Recovery Pro.

Shadow Volume Copies

As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.

  • Previous Versions dialog to target individual files
    One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
    To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.

test properties

shadow explorer

Backups and removing remaining traces of the .WildFire (.wflx) ransomware

Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by .wflx ransomware, make sure the removal of WildFire virus has completed.

Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.


Leave a Reply

Your email address will not be published. Required fields are marked *