BleedGreen FireCrypt Ransomware Kit fails at DDoS (Jan 6th 2017)


The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.

The Kit executable file uses the following icon:

The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:

Infection Cycle:

Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:


It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:

The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Start MenuProgramsStartupEkstrwhbiMZYosv.exe (copy of original) [Detected as GAV: FireCrypt.A (Trojan)]
  • %USERPROFILE%DesktoptFyROkGeXTevLgT-filesencrypted.html
  • %USERPROFILE%DesktoptFyROkGeXTevLgT-READ_ME.html
  • %USERPROFILE%Local SettingsTempdbgRKSvXIYceWvY-(num).html x453 (where num is a number between 1 and 453)

tFyROkGeXTevLgT-filesencrypted.html contains a list of files that were encrypted by the Trojan.

tFyROkGeXTevLgT-READ_ME.html contains the following message:

As with most ransomware FireCrypt uses Bitcoin as its ransom payment method.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: FireCrypt.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.