WanaCrypt0r Ransomware

What is WanaCrypt0r Ransomware?

If your operating system was not updated in the past months, WanaCrypt0r Ransomware could slither in without any warning. Although the vulnerability patch that is necessary to prevent this infection from entering the computer has been created in March 2017, many users have failed to install it, which is the main reason the malicious ransomware is spreading. Once it slithers in, it demands a ransom of $300 to be paid to one of three Bitcoin Addresses, which include 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 (at the time of research, they had collected a staggering sum of $65,970.35, or 38.89 BTC). You are given 3 days to make a move, and that is a long period to think things through. The bad news is that the cyber crooks who have created this ransomware are not reliable, and so it would be naive to expect them to provide their victims with appropriate decryption keys in return for ransom payments. Anti-Spyware-101.com research team warns that it is most likely that your files are locked permanently, and there is nothing you can do to decrypt them. Despite that, you MUST remove WanaCrypt0r Ransomware.test

How does WanaCrypt0r Ransomware work?

The distribution of the malicious WanaCrypt0r Ransomware is quite unique. While most ransomware threats that we have reviewed on this site (e.g., Fatboy Ransomware or Frozrlock Ransomware) are executed with the help of corrupted spam email attachments, a more complex method is employed to spread WanaCrypt0r. A malicious worm looks for servers with the Samba TCP port 445. This port is necessary for the ETERNALBLUE exploit, using which the worm gains access to the vulnerable Windows operating system. When the worm enters the computer, it immediately tries to connect to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (previously, it was connecting to a different domain, 9iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and others could exist as well). If the worm connects to this domain, the operation is stopped because of the kill switch feature. If the connection is not possible, the worm extracts a .zip file (it has a password), and the malicious WanaCrypt0r Ransomware is extracted right after that. Shortly, the encryption begins, and the ransomware is capable of encrypting documents, text files, photos, presentations, archives, ZIP files, and all other kinds of files. Either .WNCRY or .WNCRYT extensions are appended to them to make it easy for you to spot the encrypted files.

WanaCrypt0r Ransomware creates two files to represent the ransom demands. One of them is called “@Please_Read_Me@.txt”, which is a simple text file. The other one is called “@WanaDecryptor@.exe”, and it launches a window on the Desktop (see the image displayed). Both files should be copies to every location where the encrypted files are found. The ransom demands can be represented in various languages (e.g., English, Swedish, Italian, Croatian, German, and Chinese), and so it is not surprising that it is believed to have infected computers in over 150 countries. This might also be the reason why there are so many different names that the ransomware is recognized by, most famous of which include WannaCry Ransomware and Wana Decrypt0r. Although it appears that the infection can affect regular users, it has been reported to have affected Renault, Nissan, Hitachi, FedEx, Telefonica, and a number of other companies. NHS in the United Kingdom and the Interior Ministry in Russia have confirmed successful attacks as well. Unfortunately, many parties have paid the ransoms because they must have been convinced that the encrypted files would be released in return. Here is an excerpt from the ransom note.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. […]
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

According to the latest research, WanaCrypt0r Ransomware can delete Shadow Volume Copies, as well as erase Windows Server Backup history. Moreover, the Windows startup recovery can be disabled as well. If that was not enough, the files synchronized with the cloud storage can be affected as well. Because of that, it becomes even more unlikely that it is possible to recover the files corrupted by the malicious Wana Derypt0r Ransomware.

How to delete WanaCrypt0r Ransomware

The manual removal of WanaCrypt0r Ransomware is not recommended because it is quite complicated. The launcher of this malicious ransomware has a unique name, and you might have issues finding and deleting it, and the last thing you should do is go around removing random files that look suspicious to you. If you want to get rid of the ransomware manually, you can refer to the guide below. Using a reliable malware scanner afterward is compulsory because you do not want to overlook and miss any leftovers. Another option you have is to utilize automated anti-malware software. If you keep this software installed, and you keep up with all Microsoft security updates, you should prevent malicious infections from attacking your operating system in the future. If your operating system is not yet updated, move to Control Panel\System and Security\Windows Update to install the latest updates IMMEDIATELY.

Removal Guide

  1. Delete the file named @WanaDecryptor@.exe (found in every directory along with encrypted files).
  2. Delete the ransom file named @Please_Read_Me@.txt (found in every directory along with encrypted files).
  3. Simultaneously tap Win+E to launch Explorer.
  4. Enter %WINDIR% into the bar at the top.
  5. Delete the file called tasksche.exe.
  6. Enter %ALLUSERSPROFILE% (or %ALLUSERSPROFILE%\Application Data) into the bar at the top.
  7. Look for a folder with a random note that contains a file named tasksche.exe. If such a folder exists, right-click it and choose Delete.
  8. Also, Delete any recently download suspicions files.
  9. Perform a full system scan to check for potential leftovers. 100% FREE spyware scan and
    tested removal of WanaCrypt0r Ransomware*

Leave a Comment

Enter the numbers in the box to the right *