{
	"id": "8861f1cd-bbc7-424c-952d-266b23298a36",
	"created_at": "2026-04-06T01:30:25.994176Z",
	"updated_at": "2026-04-10T13:11:46.232041Z",
	"deleted_at": null,
	"sha1_hash": "786c53367bdffb27e64f8aa7801ed3d0fd55a52c",
	"title": "FireCrypt Ransomware Comes With a DDoS Component",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1308720,
	"plain_text": "FireCrypt Ransomware Comes With a DDoS Component\r\nBy Catalin Cimpanu\r\nPublished: 2017-01-04 · Archived: 2026-04-06 01:15:13 UTC\r\nA ransomware family named FireCrypt will encrypt the user's files, but also attempt to launch a very feeble DDoS attack on\r\na URL hardcoded in its source code.\r\nThis threat was discovered today by MalwareHunterTeam. Below is an analysis of the ransomware's mode of operation,\r\nprovided by MalwareHunterTeam and Bleeping Computer's Lawrence Abrams.\r\nFireCrypt comes as a ransomware building kit\r\nMalware is usually generated by compiling it from source code, or by using automated software that takes certain input\r\nparameters and outputs a customized malware payload on a per-campaign basis.\r\nThe latter are known in the industry as malware builders and usually come as command-line applications or GUI-based\r\ntools.\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nThe author of the FireCrypt ransomware uses a command-line application that automates the process of putting FireCrypt\r\nsamples together, allowing him to modify basic settings without having to tinker with bulky IDEs that compile its source\r\ncode.\r\nFireCrypt's builder is named BleedGreen (seen below), and allows the FireCrypt author to generate a unique ransomware\r\nexecutable, give it a custom name, and use a personalized file icon. Compared to other ransomware builders, this is a very\r\nlow-end application. Similar builders usually allow crooks to customize a wider set of options, such as the Bitcoin address\r\nwhere to receive payments, the ransom demand value, contact email address, and more.\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 3 of 8\n\nThe builder's role, besides disguising an EXE file under a PDF or DOC icon, is also to slightly alter the ransomware's\r\nbinary, in order to generate a file with a different hash at every new compilation.\r\nThe technique is often used by malware developers to create so-called \"polymorphic malware\" that's harder to detect by\r\nstandard antivirus software. According to MalwareHunterTeam, \"the builder is very basic, so this shouldn't help anything\r\nagainst real AVs.\"\r\nNevertheless, this also tells us that FireCrypt author has at least some sort of experience in developing malware, and isn't\r\nyour regular script kiddie that downloaded open-source ransomware from GitHub.\r\nFireCrypt infection process\r\nThe FireCrypt infection process hinges on the ransomware's distributor's ability to trick users in launching the EXE file they\r\njust generated.\r\nOnce this happens, FireCrypt will kill the computer's Task Manager (taskmgr.exe) and begin to encrypt a list of 20 file types.\r\nFireCrypt encrypts files with the AES-256 encryption algorithm.\r\nAll encrypted files will have their original file name and extension appended with \".firecrypt\". For example, a file named\r\nphoto.png will be renamed into photo.png.firecrypt.\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 4 of 8\n\nOnce the file encryption process ends, FireCrypt drops its ransom note on the user's Desktop.\r\nFireCrypt ransom note\r\nThe ransom note is a nearly identical copy of the ransom note used by the Deadly for a Good Purpose Ransomware,\r\ndiscovered on October 14 by the same MalwareHunterTeam.\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 5 of 8\n\nDeadly for a Good Purpose Ransomware ransom note\r\nAt the time it was discovered in October 2016, the Deadly for a Good Purpose Ransomware appeared to be under\r\ndevelopment, as its source code would begin the file encryption process only if the victim's computer date were for a day in\r\n2017 and later.\r\nCompared to FireCrypt, the only difference is that the Deadly for a Good Purpose Ransomware also featured a logo at the\r\ntop of the ransom note, now missing in FireCrypt. But, at a close inspection of Deadly's source code, MalwareHunterTeam\r\nwas able to discover that both ransomware versions used the same email and Bitcoin addresses, showing a clear connection\r\nbetween the two, with FireCrypt being a rebranded version of the original Deadly for a Good Purpose Ransomware.\r\nThe DDoS function that fills your hard drive with junk files\r\nAfter dropping the ransom note, FireCrypt doesn't stop its malicious behavior. Its source code contains a function that\r\ncontinuously connects to a URL, downloads its content and saves it to disk in a file in the %Temp% folder, named\r\n[random_chars]-[connect_number].html.\r\nIf users aren't aware of this function, FireCrypt will quickly fill the %Temp% folder up with junk files.\r\nCurrent versions of the FireCrypt ransomware will download the content of http://www.pta.gov.pk/index.php, which is the\r\nofficial portal of Pakistan's Telecommunication Authority. This URL cannot be modified using the ransomware's builder.\r\nFireCrypt DDoS function\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 6 of 8\n\nThe FireCrypt author calls this feature as a \"DDoSer,\" but this would be a stretch. The crook would have to infect thousands\r\nof victims before launching a DDoS attack large enough to cause any problems to the Authority's website.\r\nFurthermore, all victims should be infected at the same time, and have their computers connected to the Internet in order to\r\nparticipate in the DDoS attack.\r\nAt the time of writing, there's no known method of recovering files encrypted with FireCrypt. Victims infected with this\r\nthreat that are unable or unwilling to pay the $500 ransom demand should keep a copy of their encrypted files around, as a\r\ndecrypter might be possibly released in the future.\r\nTargeted file extensions:\r\n.txt, .jpg, .png, .doc, .docx, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .csx, .psd, .aep, .mp3, .pdf, .tor\r\nFiles associated with FireCrypt ransomware:\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\[random_chars].exe - Startup Executable\r\n%Desktop%\\[random_chars]-READ_ME.html - Ransom Note\r\n%AppData%\\SysWin32\\files.txt - List of Encrypted Files\r\n%Desktop%\\random_chars]-filesencrypted.html - List of Encrypted Files\r\n%Temp%\\random_chars]-[connect_number].html - Files downloaded during the DDoS attack\r\nHashes associated with the FireCrypt ransomware:\r\nBleedGreen builder (VirusTotal scan is currently at 2/57 detections):\r\nSHA-256: e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d\r\nA FireCrypt ransomware binary sample (VirusTotal scan is currently at 13/57 detections):\r\nSHA-256:757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4\r\nEmail Address and Payment Contacts:\r\nEMAIL: gravityz3r0@sigaint.org\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/"
	],
	"report_names": [
		"firecrypt-ransomware-comes-with-a-ddos-component"
	],
	"threat_actors": [],
	"ts_created_at": 1775439025,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/786c53367bdffb27e64f8aa7801ed3d0fd55a52c.pdf",
		"text": "https://archive.orkl.eu/786c53367bdffb27e64f8aa7801ed3d0fd55a52c.txt",
		"img": "https://archive.orkl.eu/786c53367bdffb27e64f8aa7801ed3d0fd55a52c.jpg"
	}
}