Although it is mostly hitting Dutch computers, the No More Ransom initiative has released decryption keys for the ransomware WildFire.

The Dutch National Police took control of the command and control servers on Wednesday and confiscated 5,800 decryption keys–including roughly 3,000 keys for Dutch infections and 2,100 for Belgian infections.

The infection is mostly spread by malicious spam emails that are written in "flawless Dutch". Unlike other forms of ransomware, WildFire attackers rely on a phony Dutch domain and actually put the address of the targeted company in the e-mail. This increases the likeliness that someone will open it.

The spam email tries to get the victim by purportedly saying the victim has a package that needs delivering. The way they get the victim is to request a rescheduling to deliver the package. The document is laden with macros, which once enabled, download and execute the ransomware.

The ransom demands $299 Euros to decrypt the files. However, the price increases after 8 days to $999. It has seen a rather handsome return. After only a month, there have been more than 5,700 infections. 236 users paid roughly $78,700 USD.

“The seizure of the Wildfire decryption keys proves again that fighting cybercrime, especially ransomware, is more successful through collaboration,” John Fokker, the Digital Team Coordinator of the Dutch National High Tech Crime Unit said Wednesday, “The Dutch police will strive to help ransomware victims by investigating ransomware cases, take down criminal infrastructure and distributing decryption keys.”

The decryption keys and the capture of the C&C servers were a joint effort by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab.