Ransomware Wiki
Ransomware Wiki

FireCrypt Ransomware Overview[]

Firecrypt ransomware is a new malware threat that is closely related to the Deadly ransomware which was identified in October 2016. The security analysis has shown that it is a sophisticated platform for developing customized ransomware strains. Its creator is known under the alias of BleedGreen. The advanced options allow the hackers to create their own viruses that can include any of the following features:

  • Startup Entry Creation
  • Taskmgr process kill switch
  • AES-256 encryption module addition
  • Built-in DDOS feature
  • Disk Space Utilization
  • Customized Icon

The default behavior of the ransomware is to kill the running Task Manager process and activate the encryption module. All affected files receive the .firecrypt extension. In addition the ransomware features a built-in DDOS feature. It allows the computer victims to initiate direct campaign attacks against predefined targets.

FireCrypt Ransomware Affected File Types[]

The AES-256 cipher is used to target a predefined list of 20 file types:

.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .csx, .psd, .aep, .mp3, .pdf, .torrent

FireCrypt Ransomware Note[]

A ransomware note is crafted and placed on the user's desktop. One of the samples contains this message:

Key Will Be Destroyed On:

1/7/2017
Your Files Are Encrypted:
1758 files encrypted securely.
USER ID: User-io5zHC•zvL – Encryption Used: AES-256
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click “Encrypted Files” link to view a complete list of encrypted files. and you can personally verify this. Encryption was produced using a unique public key AES-256 generated for this computer. To decrypt files you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files. is located on a secret server on the Internet: the server will eliminate the key after a time period specified in this window. Once this has been done. nobody will ever be able to restore files… In order to decrypt the files you will need to send $500 USD in form of BTC to the following bitcoin address:
1H91foPIcEGFqurFdq5zek4frCshzPZbq9V (How to buy Bitcoins?)
After payment contact gravityz3r0@sigaint.org with your transaction details and “USER 11)”. Once the payment is confirmed you will recieve decryption key along with decryption software. Any attempt to remove or corrupt this software will result in immediate elimination of the private key by the server. Beware.

Encrypted Files

FireCrypt Ransomware Distribution[]

The FireCrypt ransomware is an executable file that poses as legitimate documents and important files such as PDF or DOC files. The FireCrypt ransomware is classified as a polymorphic malware which utilized advanced stealth technique.

FireCrypt Ransomware Removal[]

In-depth removal instructions and detailed technical information about the virus can be found on Best Security Search.