Home / Spyware Help / Wana Decrypt0r Ransomware Removal Guide

Wana Decrypt0r Ransomware Removal Guide

by 0 Comments

Do you know what Wana Decrypt0r Ransomware is?

Wana Decrypt0r Ransomware is not a typical or poorly written ransomware that we often encounter. This infection was distributed while using ETERNALBLUE exploit; it is generally believed to be created by the U.S National Security Agency. It looks like some hackers managed to get their hands on it and shared it on the Internet. Wana Decrypt0r Ransomware’s developers used it and as a consequence managed to infect an enormous amount of devices around the world. Fortunately, the malicious application was stopped from spreading further, and users can now update their operating system to eliminate the particular vulnerability that allowed the mentioned exploit access devices running Windows. For more information about the malware, we encourage you to read the rest of the report. Below it there will be a removal guide as well, so you could get rid of this worm faster.

How to identify Wana Decrypt0r Ransomware? First of all, if your computer was infected with this particular malware, you should see a red pop-up window titled as Wana Decrypt0r 2.0. What’s more, all or most of the files on your computer should have an additional extension, which could be either .WNCRYT or .WNCRY, for example, picture.jpg.WNCRYT, video.avi.WNCRY, document.docx.WNCRY, and so on. Then you may notice suspicious files created by the malicious application, for example, @WanaDecryptor@.exe, @Please_Read_Me@.txt, tasksche.exe, etc. The last mentioned file might be placed in C:\Windows, %ALLUSERSPROFILE%\{folder with a random name}, and %ALLUSERSPROFILE%\Application Data\{folder with a random name}, while the first two (@WanaDecryptor@.exe and @Please_Read_Me@.txt) could appear to be in every folder containing encrypted data.

The text files with instructions or the red pop-up window should appear only after Wana Decrypt0r Ransomware encrypts its targeted data, for example, it could target files with .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .bmp, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, and other extensions. The infection might create a lot of @WanaDecryptor@.exe so that the user could reopen the pop-up window in case he closes it. The warning in it says you can click the “Decrypt” button and recover a few files instantly. However, to get all of the files back, the warning asks to pay the ransom ($300) in three days or the price will get doubled. Moreover, the malware’s creators give users seven days to make the payment or else they threaten the victim will never be able to recover his files.

At this point we would like to stress that despite what the cyber criminals behind the infection say there are no guarantees paying the ransom will allow you to unlock encrypted files, so instead of risking your savings, we advise you to secure the system and delete the worm immediately. Provided, you choose to erase Wana Decrypt0r Ransomware manually we offer the removal guide placed below since deleting the malicious application might not be easy. Probably, the easier way to eliminate it is to install a reputable antimalware tool, perform a system scan, and select the removal button once the scanning is over. By installing legitimate antimalware tool, you would also acquire a tool that could help you strengthen the system and guard it against malware.

Eliminate Wana Decrypt0r Ransomware

  1. Exit the red malware’s pop-up.
  2. Access the File Explorer (Windows Key+E).
  3. Navigate to your Desktop, Downloads, Temporary Files, or other locations where the infection’s launcher could have been downloaded.
  4. Find the launcher, select it and press Shift+Delete to erase it permanently.
  5. Go to C:\Windows and find a file called tasksche.exe.
  6. Select this executable file and press Shift+Delete.
  7. Locate these paths:
    %ALLUSERSPROFILE%\{folder with a random name}
    %ALLUSERSPROFILE%\Application Data\{folder with a random name}
  8. Folders with random names might contain copies of tasksche.exe; if they contain such file, select these folders and press Shift+Delete to remove the malware’s created directories.
  9. Use Shift+Delete combination to erase all @WanaDecryptor@.exe and @Please_Read_Me@.txt files.
  10. Leave the File Explorer.
  11. Restart the system.

In non-techie terms:

Wana Decrypt0r Ransomware is a worm that was spread while using an exploit, which could connect to the victim’s computer while using Server Message Block 1.0 (SMBv1) port known as Samba TCP port 445. As our researchers explain, the malicious application was scanning the Internet while trying to detect any available Windows servers that would have this port. To get rid of SMBv1 vulnerability you should get the latest patch for your operating system. If you were unfortunate enough to encounter this malware, we would also advise securing the system by erasing the worm from it. This you can do either manually or automatically; thus, you can pick the best option based on your skills. More experienced users could try to follow the removal guide placed above, while users with less experienced are advised to use a reputable antimalware tool instead.