Due to a breach believed to be in the form of Afire ransomware,
we would like to confirm the situation and provide a warning as follows.

Afire ransomware

The ransomware in question is called Afire and appears to be changing all files with the file name and extension .afire.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is a C++-based ransomware and has a code form similar to the recently analyzed Qrypt. First, it checks data and backup-related services and issues a stop command. Running processes are also forcibly terminated when confirmed by comparing them with the names of specific data and backup programs. Afterwards, the shadow copy delete command and all paths to the Recycle Bin are processed without a message.

  
  [Figure 3 Command to stop specific service]

  
  [Figure 4: Force termination of the running process after checking the specific program name]

  
  [Figure 5 Shadow copy deletion command via cmd]

  
  [Figure 6 Emptying the trash can in all paths]

Infection results

The information file is created with the name <Restore.txt> in each folder location, and each encrypted file has <file name.extension. It changes to afire>.

[Figure 5 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 6 Block message]

Go see the Afire blocking video