What is IceFire Ransomware
IceFire is the name of a computer infection classified as ransomware. Cybercriminals behind it target data encryption of business users and then extort money (in Monero cryptocurrency) for file decryption. While analyzing technical reports of the virus, we saw it using a combination of cryptographic AES + RSA algorithms to encipher important pieces of data. Just like other infections of such, IceFire Ransomware uses its own extension – .iFire to highlight the restricted data. To illustrate, a file previously titled
1.pdf will change to
1.pdf.iFire and become no longer accessible. Following successful encryption, cybercriminals lay out instructions on what recovery steps should be taken within the iFire-readme.txt note.
********************Your network has been infected!!!********************
IMPORTANT : DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!
All your important files have been encrypted. Any attempts to restore your files with thrid-party software will be fatal for your files!
Restore your data posible only buying private key from us. We have also downloaded a lot of private data from your network. If you
do not contact us in a 5 days, we will post information about your breach on our public news webs.
You should get more information on our page, which is located in a Tor hidden network.
1.Download Tor browser - https://www.torproject.org/
2.Install Tor browser
3.Open link in Tor browser : kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion
4.Follow the instructions on this page
Your account on our website
1.Do not try to recover files yourself, this process can damage your data and recovery will become impossible.
2.Do not waste time trying to find the solution on the internet. The longer you wait, the higher will become the decryption key price.
3.Tor Browser may be blocked in your country or corporate network. Use Tor Browser over VPN.
Your network has been infected
All your important files have been encrypted. Any attempts to restore file with third-party software will be fatal for your files. Restore your data possible only buying private key from us. We have also downloaded a lot of private data from your network. If you do not contact us in five days, we will post information about your breach on our public news webs.
You can pay directly following the steps:
• Log into the website with your account.
• Get the Monero address and number of XMR you should pay.
• Pay XMR to our Monero address.
• Send the blockchain transaction ID to us.
• Download decrypt application from our website.
• We will send private key to you within six hours.
• Finally, decrypt all your files.
Inside this note, extortionists say it is necessary to purchase a special private key from them to recover access to data. To do this, victims are guided to download Tor Browser and open the attached weblink. Thereafter, victims have to log in using the given credentials (username & password) and follow instructions on the webpage. It is worth mentioning that ransomware developers threaten to release sensitive information in public if victims fail to establish contact within 5 days, since files have been encrypted. In addition, there are also alerts saying that any attempts to restore files manually will result in permanent damage or loss. Such warnings may actually be true due to the notorious complexity of assigned ciphers and possible protection installed by the virus against manual interference. Unfortunately, it is rarely possible to perform full decryption of files without the help of cybercriminals. The likelihood of succeeding manually depends on how private keys are stored, what encryption algorithms were used, and whether there are any bugs or flaws within the malicious software itself. Unfortunately, this is likely to be the case with IceFire Ransomware. You can still give it a try using some tools we presented in the tutorial below, however, we are unable to promise their effectiveness with this infection specifically. Paying the ransom is usually not recommended – due to a number of reported cases when users did not receive any decryption from other ransomware developers. Sadly, it is always hard to decide when dealing with ransomware infections, especially if there is a risk of facing reputational risks due to potential data leakage. If you still want to recover your data, excluding cybercriminals’ help, the best way to do so is by using backup copies of data. Note that prior to trying any recovery method that does not involve the participation of the developers, it is important to get rid of ransomware in the first order. You can do it in our guide below and explore some recovery options as well.
How IceFire Ransomware infected your computer
- Download IceFire Ransomware Removal Tool
- Get decryption tool for .iFire files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like IceFire Ransomware
Download Removal Tool
To remove IceFire Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of IceFire Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove IceFire Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of IceFire Ransomware and prevents future infections by similar viruses.
IceFire Ransomware files:
IceFire Ransomware registry keys:
How to decrypt and restore .iFire files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .iFire files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .iFire files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with IceFire Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .iFire files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like IceFire Ransomware , in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. IceFire Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.