1 of 4
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Wildfire Ransomware

Wildfire Ransomware is one of the new ransomware infections that might enter your system without permission one day if you are not careful. If it happens, you will quickly notice that important files are locked and contain the .wflx filename extension. Also, you might notice that your Desktop Wallpaper has been changed too. Finally, you will detect new files, e.g. HOW_TO_UNLOCK_FILES_README_([Unique ID]).html and HOW_TO_UNLOCK_FILES_README_([Unique ID]).txt here and there. If you open any of them, you will find the text explaining what has happened to files as well. Even though you will not unlock your personal files by simply removing Wildfire Ransomware from the system, we still suggest that you eliminate it from your computer in order not to allow this ransomware infection to encrypt your new files. Also, you could use your computer without fear again if you delete it fully. As Wildfire Ransomware creates several new files, it will not be very easy to delete it from the system. We will try to answer all your questions regarding the removal of this ransomware infection in this article; however, if you want to ask us something, you can leave your question in the comment box you will find below the article.

Like other ransomware infections, Wildfire Ransomware enters computers secretly because it is a computer threat that seeks to convince users to pay money. Cyber criminals know that users will not make a payment willingly, so they have developed Wildfire Ransomware in such a way that it could encrypt files. Once this infection finishes locking files using the AES-256 encryption, it opens .html and .txt files in order to inform users what has happened. You might also notice a new Desktop background set because this ransomware infection also puts a .bmp picture on the infected system (it is usually located in %APPDATA%\WildFire V1\WildFire V1\\[random 5 numbers].bmp). It does not matter whether you open an .html, .txt, or .bmp file because they all contain the similar text. Users are informed that files they store on their systems are “encrypted by WildFire Locker” which uses the AES-256 encryption. The price of the decryption password is $/€299; however, it might reach $/€999 if the ransom is not paid within the given time period. We know that you wish to unlock your files; however, we do not think that it is a good idea to pay money for cyber criminals because nobody can assure you that the key for unlocking files will really be sent to you. Besides, you can restore files free of charge if you have their copies, or you can wait for the free decryption tool to be developed. We hope that you have understood the importance of having a backup of all the important files.

If Wildfire Ransomware sneaks onto the computer, it will also create three new files (they will have .exe, .png, and .xml filename extensions) in its own folder whose name will consist of 10 random characters and which will be located in %APPDATA%. These files will be installed on the system only if a user downloads the legitimate-looking .docx file from the spam email, opens it, and enables the MS Word macros. The main file of the ransomware infection (.exe) will be dropped together with two additional files (.xml and .png) by ms.exe (%HOMEDRIVE%\ProgramData\Memsys\ms.exe), which will be created from the malicious code inside the .docx file. Other ransomware infections popular these days are distributed through spam emails that contain harmless-looking documents as well in order to trick users into downloading them. Some of these spam emails are even made to look like they are sent by DHL or another trustworthy company. Never open spam emails if you want to be safe no matter they look like they are completely harmless.

This ransomware infection was first detected on the 21st of June, 2016; however, we are sure that there are a number of users who have already encountered it. If you are one of them, you need to remove Wildfire Ransomware as soon as possible even though your files will stay encrypted. We know that many users do not know anything about the deletion of such serious threats and do not even know where to start to erase them from their PCs, so we have prepared easy easily comprehensible instructions (scroll down to find them). Feel free to use those manual removal instructions; however, if you do not find them helpful, you should use a trustworthy automatic malware remover, e.g. SpyHunter instead to erase the ransomware once and for all. A reliable tool will also protect your system from harm as long as you keep it enabled.

Remove Wildfire Ransomware manually

  1. Remove the malicious .docx file you have downloaded.
  2. Launch RUN (Win+R) and enter %HOMEDRIVE% in the box. Tap Enter.
  3. Go to ProgramData and then open Memsys.
  4. Locate and delete ms.exe.
  5. Open %APPDATA%.
  6. Find the folder with a random name and delete it together with .exe, .xml, and .png files.
  7. Locate the WildFire V1 folder.
  8. Delete it.
  9. Remove all .html and .txt files from directories containing encrypted files.
  10. Empty the Recycle bin and then restart your computer.
Download Spyware Removal Tool to Remove* Wildfire Ransomware
  • Quick & tested solution for Wildfire Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.