Wildfire Ransomware Removal Guide

Wildfire Ransomware is a threat that might slither into your operating system in the most inconspicuous manner. If it is executed successfully, this threat goes after your personal files, and it encrypts them using the Advanced Encryption Standard encryption method (AES 256). The main objective behind this is not to damage your files but to make you pay a ransom in return for their decryption. This ransomware deliberately encrypts your files just so that you would give up your savings, which is exactly why ransomware threats are classified as the most devastating and crippling. If your personal files are not backed up, you might be trapped by cyber criminals as paying the ransom is introduced to you as your only option. Is it the only option you have? Should you just delete Wildfire Ransomware without taking care of your files first? How should you remove this monstrous infection from your PC? These and many other questions are answered in this report.

The malicious Wildfire Ransomware is very similar to Pizzacrypts Ransomware, Crypt38 Ransomware, TeslaCrypt Ransomware, and all other malicious ransomware threats we have reported on this site already. Just like with most other threats of its kind, the origins of this ransomware can be traced back to a misleading spam email that contains a corrupted attachment. According to our research, it is most likely that the attack of this infection will start with a Word document file that is macro-embedded. When you try to open this file, you might be introduced to a message asking to enable MS Word macros to be able to view the document. If you enable macros, the malicious code within the corrupted .docx file allows creating or downloading a malicious .exe file. In our case, we found this .exe file in the %HOMEDRIVE%\ProgramData\Memsys\ directory, and it was named “ms.exe”. This file has the ability to automatically run itself to infiltrate the ransomware, which is downloaded to a folder with a random name (should be ten random characters) in the %AppData% directory.

If executed successfully, Wildfire Ransomware encrypts your personal files and introduces you to a message explaining what supposedly needs to be done to have the files decrypted. This message can be delivered to you in various ways. If your desktop wallpaper is not modified by the ransomware, you will find TXT and HTML files (HOW_TO_UNLOCK_FILES_README_([your ID]).html and HOW_TO_UNLOCK_FILES_README_([your ID]).txt). These files should be copied to every folder with encrypted files, and they might be automatically opened on your screen once the encryption of your files is completed. The man message within these files is that you need to pay a ransom as quickly as possible before the fee increases. According to the TXT and HTML files, you need to pay 299 USD or Euro, but if you open one of the links provided to you, you will find that you actually need to pay the ransom in Bitcoins, and the starting fee is 0.5 BTC. A countdown clock is also shown indicating when the ransom fee would increase to 1.5 BTC, or, according to the files, to 999 USD or Euro. Here is an excerpt from one of the messages associated with the Wildfire Ransomware.

WildFire Locker payment page
You are able to unlock your files by paying 0.5 Bitcoins […]
If payment is not made before [date and time] the cost of decrypting your files will rise to 1.5 Bitcoins […][time] left before the decryption price triples!

Even if you remove Wildfire Ransomware or delete the ".wflx" extension from every single file corrupted by this threat, you will not be dealing with the encryption. At the moment, a legitimate, reliable tool capable of decrypting your files does not exist, but it is possible that it will be developed at some time in the future. Unfortunately, we cannot guarantee this. If you go on a lookout for third-party decryption tools, make sure you do not install malware in disguise or get scammed into investing in useless software. Considering that cyber criminals cannot be trusted, and paying the ransom might be void and ineffective, it is not recommended that you waste your money. Now, if you choose not to pay the ransom, you might have to lose your files, which is not a problem if they are backed up. If they are not, let this be a lesson for you that you should always back up your files in case of computer damage or your operating system getting corrupted by malicious infections. Feel free to start a discussion below if you have any questions or concerns.

How to delete Wildfire Ransomware

1. Locate and Delete the malicious .docx file that was used for the execution of the ransomware.
2. Simultaneously tap Win+E keys to launch Explorer.
3. Type %HOMEDRIVE%\ProgramData\Memsys\ into the bar at the top and tap Enter.
4. Right-click the file named ms.exe (could have a different name) and choose Delete.
5. Type %APPDATA% into the bar at the top and tap Enter.
6. Right-click the {name with 10 random characters} folder containing malicious files and select Delete.
7. Right-click the folder named WildFire V1 (could have a different name) and choose Delete.
8. Restart your computer.
9. Immediately download a trusted malware scanner and perform a full system scan.

N.B. Do not forget to implement reliable security software to prevent malware from attacking or causing damage in the future.