Wal Ransomware

Cybercriminals are smart, and they know that you value your personal files. That is why Wal Ransomware is likely to be a successful infection for them. This malware does not have many functions, but they are destructive enough to make it possible to terrorize Windows users into giving up their money. Once it is executed, it encrypts files, and then attackers introduce the victims to very specific instructions. Of course, you cannot be forced to follow these instructions, but if your personal files matter to you, and if you do not have backups that could replace them, you are more likely to give in. Have you already paid the ransom requested in return for a decryption tool? If you have, it is unlikely that the tool was provided to you. Unfortunately, cybercriminals are unreliable, and their promises to help you are likely to be empty. In any case, you must remove Wal Ransomware if it has slithered in, and we suggest doing it ASAP.

Wal Ransomware is a new infection, but it is not a unique infection. That is because it was created using an open-source code that has been used many times before by such threats as Zatrov Ransomware, Vesrato Ransomware, or Cetori Ransomware. Our research team identifies all of these infections as Crysis/Dharma Ransomware. When they invade operating systems using spam emails and RDP vulnerabilities, they always display the same ransom note, and even the extension added to the corrupted files is somewhat similar. This extension always includes an ID number, an email address, and a pseudo extension. In the case of Wal Ransomware, it is “.id-{id}.[decryptdocs@protonmail.com].wal,” and you should see it attached to all personal files. This is the best proof that your personal files were encrypted and that you need to delete malware from your operating system. Unfortunately, deleting the ransomware will not help you restore your personal files. In fact, it is unlikely that you can restore your files if they were encrypted by this malware.

If your personal files were encrypted by Wal Ransomware, you must have found a file named "FILES ENCRYPTED.txt," and a window entitled “decryptdocs@protonmail.com” must have been launched. The text file is not very informative, and it simply states that data was “locked” and that you need to send a message to decryptdocs@protonmail.com or decryptdocs@airmail.cc to initiate the recovery of your files. The message that is delivered via the window is a little bit more informative, but, essentially, it states the same thing. The message also informs that a ransom would have to be paid in Bitcoins if the victim wanted to obtain a decryption tool, but there is no information about the size of the ransom or the bitcoin wallet to which the ransom would have to be paid. Note that sending a message to cybercriminals from your regular email account could be dangerous, which is something you need to think about carefully. When it comes to paying the ransom, you already know that we do not think that the attackers will give you a decryptor in return for your money. Needless to say, we do NOT advise paying the ransom.

There is no denying that Wal Ransomware is a dangerous infection, and, unfortunately, once it slithers in silently, it can cause great damage to your personal files. After encryption, they might be unsalvageable, and even if you pay the ransom as instructed by the attackers, you are unlikely to get your files back. You could take a risk and rely on the attackers to help you out, but we suggest focusing on the removal of the threat. You might be able to delete Wal Ransomware manually, but if that is not an option, install an anti-malware program, and it will clean your operating system automatically. Another perk of this program is the full-time protection it can produce. Needless to say, if you do not want your operating system and personal files taken over by malware in the future, automated protection is something you need to consider seriously. After you delete the infection, hopefully, you will be able to replace your files with backups that you have stored outside the infected system. If you had not created backups, make sure you start creating them now.

Wal Ransomware Removal

1. Delete the ransom note file called RETURN FILES.txt.
2. Simultaneously tap Win+E keys to access Windows Explorer.
3. Enter the following paths into the quick access field to find and Delete the malicious files. One of them is an .exe file with a random name, and the other one is Info.hta.
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
4. Simultaneously tap Win+R keys to access Run and enter regedit into the dialog box.
5. In Registry Editor, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
6. Delete all values associated with the malicious .exe and Info.hta files in step 2.
7. Empty Recycle Bin and then perform a full system scan using a legitimate malware scanner.