WanaCrypt0r Ransomware

WanaCrypt0r Ransomware is a notorious infection that has been detected in over 150 countries. It is capable of representing its ransom demands in many different languages, some of which include Chinese, English, French, Japanese, Portuguese, and Spanish. If you read/watch the news, you probably have heard of this ransomware already because it has affected global companies such as FedEx and Nissan, as well as the Russian interior ministry and the National Health Service (NHS) in the UK. According to a Twitter account “@actual_ransom” following the Wana Ransomware, the cyber criminals behind this massive infection have already collected over 64,000 USD in ransom payments. At the time, three Bitcoin addresses (13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn) are being used to collect money. If you have not become a victim of this ransomware yet, you have to make sure that your Windows operating system is updated immediately. If you have already faced this threat, there are things you need to do. Of course, it is most important that you remove WanaCrypt0r Ransomware.

Although we are calling WanaCrypt0r Ransomware by this name, it is also known by other names, some of which include WannaCry Ransomware, WanaDecryptor, and Wana Decrypt0r 2.0. The unique thing about this threat is that it is both a ransomware and a worm. In April of 2017, an exploit by the name “ETERNALBLUE” was leaked online. This exploit uses an SMB (Server Message Block) port to open a backdoor to the targeted computer. After gaining access to the computer, the worm connects to a specific domain, and one of two things happen. If the connection is available, the infection will exit because it works as a kill switch. If the connection is denied, a password-protected .zip file is executed, and this is how the malicious WanaCrypt0r Ransomware is unleashed. The first kill switch was found by accident by a researcher in the UK, and the second kill switch was created by the founder of Comae Technologies. Once the malicious ransomware is executed, it can download a Tor client to communicate with gx7ekbenv2riucmf.onion, xxlvbrloxvriy2c5.onion, 57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.

The threat also sends commands to delete Shadow Volume Copies, erase Windows Server Backup history, and even disable the Windows startup recovery. UAC (User Account Control) notifications should show up during these processes. If you do not give the permission, WanaCrypt0r Ransomware might fail to do these things. Otherwise, the recovery of files becomes impossible. It is also important to mention that the ransomware is also capable of overwriting the files stored in cloud storage. When it comes to the files on your computer, it was found that it can encrypt a ton of different types of files, including .docx, .doc, .java, .class, .wav, .avi, .mov, .mkv, .flv, .gif, .jpg, .jpeg, .zip, and .rar. Besides encrypting the files, the ransomware also can attach a unique extension (“.WNCRYT” or “.WNCRY”) to their names. In every folder containing the encrypted files, you will find a ransom note file named “@Please_Read_Me@.txt”, as well as a file called “@WanaDecryptor@.exe”. This one is responsible for executing a message on the Desktop. Both of these files inform that you need to transfer “$300 worth of bitcoin” to the provided Bitcoin Address. You are given 7 days to make the payment. Unfortunately, it is highly unlikely that a decryption key would be provided to you if you paid the ransom.

The clandestine worm that executes the malicious WanaCrypt0r Ransomware is spread using a vulnerability that Microsoft has already taken care of on the 14th of March, 2017. If you have not updated your operating system, the chances of getting it infected are significantly higher, and so you should install it immediately. If the malicious ransomware has already invaded your operating system and encrypted your personal files, you must be thinking what to do next. Since paying the ransom is unlikely to solve any issues for you, other options must be considered. For example, if your files are safely backed up on an external drive, you should have no problem recovering personal data. Of course, you should hook external drives to your PC only after you delete WanaCrypt0r Ransomware. Another option you have is to employ tools that could possibly recover your files using Shadow Volume Copies and your system’s backup. That will work only if the ransomware has failed to delete Shadow Volume Copies and disable the Windows startup recovery. Once you clean your operating system from this threat – regardless of the outcome – you have to make sure you employ trusted security software, install all necessary security updates, and, of course, set up a reliable file backup system.

N.B. The manual removal of WanaCrypt0r Ransomware can be complicated to the less experienced users. Therefore, we strongly advise utilizing trusted and legitimate anti-malware software right away. If you want to discuss the removal process more extensively, start a discussion in the comments section.

WanaCrypt0r Ransomware Removal:

1. Right-click and Delete suspicious files that you have recently downloaded.
2. Right-click and Delete the file named @WanaDecryptor@.exe (note that it has multiple copies).
3. Right-click and Delete the file named @Please_Read_Me@.txt (note that it has multiple copies).
4. Simultaneously tap Win+E to launch Windows Explorer.
5. Enter %WINDIR% into the bar at the top.
6. Right-click and Delete the file named tasksche.exe.
7. Enter %ALLUSERSPROFILE% into the bar at the top.
8. Right-click and Delete the {random name} folder if it contains a file named tasksche.exe.
9. Empty Recycle Bin.