Best Security Search
Ransomware

FireCrypt Ransomware Virus (Removal Steps and Protection Updates)

Malware researchers have uncovered a dangerous new malware known as the FireCrypt ransomware which features advanced capabilities. Continue reading our in-depth removal guide which will show you all the technical details about the virus and will help you to remove existing infections and protect your computers.


Name
FireCrypt

File Extensions
.firecrypt

Ransom
500 US Dollars in Bitcoins

Solution #1
You can skip all steps and remove FireCrypt with the help of an anti-malware tool.

Solution #2
FireCrypt ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, malicious ads & etc.

FireCrypt Ransomware Description

The FireCrypt ransomware is a dangerous new malware family that has been identified and analyzed by the malware researchers. It contains dangerous capabilities that can cause major damage to the infected computers. The security research shows that this threat is closely related to an old virus called Deadly for a Good Purpose Ransomware which appeared in October 2016.

FireCrypt ransomware is actually a very sophisticated malware building tool. It includes its own user interface which allows the hackers to create customized versions of the virus. The creator of the virus is known as BleedGreen and his malware allows criminals to create customized versions of FireCrypt that bear custom names and personalized icons.

The customization options feature the following capabilities that can be tuned by the criminal operators of the FireCrypt ransomware attack campaigns:

  • Startup Entry Creation
  • Taskmgr process kill switch
  • AES-256 encryption module addition
  • Built-in DDOS feature
  • Disk Space Utilization
  • Customized Icon

Upon infection the default behavior is to kill the running Task Manager (taskmngr.exe) system process and activate the encryption module. It uses the AES-256 cipher to target a predefined list of 20 file types:

.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .csx, .psd, .aep, .mp3, .pdf, .torrent

All affected files receive the .firecrypt extension. Once the process is complete the FireCrypt ransomware creates a ransom note which is placed on the user’s Desktop and has the following contents:

Key Will Be Destroyed On:
1/7/2017
Your Files Are Encrypted:
1758 files encrypted securely.
USER ID: User-io5zHC•zvL – Encryption Used: AES-256
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click “Encrypted Files” link to view a complete list of encrypted files. and you can personally verify this. Encryption was produced using a unique public key AES-256 generated for this computer. To decrypt files you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files. is located on a secret server on the Internet: the server will eliminate the key after a time period specified in this window. Once this has been done. nobody will ever be able to restore files… In order to decrypt the files you will need to send $500 USD in form of BTC to the following bitcoin address:
1H91foPIcEGFqurFdq5zek4frCshzPZbq9V (How to buy Bitcoins?)
After payment contact [email protected] with your transaction details and “USER 11)”. Once the payment is confirmed you will recieve decryption key along with decryption software. Any attempt to remove or corrupt this software will result in immediate elimination of the private key by the server. Beware.
Encrypted Files

Something very specific to this malware is the built-in DDOS function. This connects to a predefined URl, downloads the whole contents of the site and saves it to the %TEMP% folder.

This feature causes two major problems:

  1. If many users get infected with FireCrypt it can cause a large-scale DDOS attack.
  2. The virus can quickly fill out the free space of the victim’s hard drive if the source site is large enough.

The captured malware sample target the Pakistan’s Telecommunication Authority.

FireCrypt Ransomware Distribution

The FireCrypt ransomware samples are executable files that pose as ordinary documents or other types of non-executable data such as PDF or DOC files.

They are classified as polymorphic malware which utilize advanced stealth technique that make it harder for anti-virus software to detect. However according to the analysis the implementation is pretty basic at least in the identified samples so far.

FireCrypt ransomware infects people by using various social engineering tricks to infect the host. Usually this is done through spam email campaigns that feature phishing attempts that lure the customers into downloading and running the malicious files. Infections can also occur by interacting with browser hijackers, malicious ads and other related threats.

FireCrypt Ransomware Removal

For a faster solution, you can run a scan with an advanced malware removal tool and delete FireCrypt completely with a few mouse clicks.

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely FireCrypt Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of FireCrypt requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete FireCrypt ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

restore-files-using-system-restore-point

STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.