Home / Spyware Help / WanaCrypt0r Ransomware Removal Guide

WanaCrypt0r Ransomware Removal Guide

by 0 Comments

Do you know what WanaCrypt0r Ransomware is?

WanaCrypt0r Ransomware has many names as it might be called WannaCry Ransomware, WanaDecrypt0r Ransomware, and so on. According to our specialists, the malware used an exploit called ETERNALBLUE and was spreading through networks as a worm. Luckily, security experts from all around the world managed to stop the infection. Still, in a couple of days, the malicious application was distributed in more than one hundred and fifty countries. Clearly, it affected an enormous amount of computers belonging to companies and users at home. This situation reminds us all that we should never take our guard down because hackers are continuously searching for ways to threaten our cyber security every day. If you are one of WanaCrypt0r Ransomware’s victims, we advise reading the rest of the article since there is more to learn about it. As for users who seek to erase the worm manually, we can offer the removal guide placed below the text.

The mentioned ETERNALBLUE exploit belongs to NSA, but a particular hacker’s team called The Shadow Brokers managed to steal it and leak it online. The exploit uses Server Message Block 1.0 (SMBv1) port called Samba TCP port 445 to gain access to the targeted device, so the worm was scanning the Internet and looking for Windows servers where such a port could be accessed. The SMBv1 vulnerability was already noticed by Microsoft since the company has released a patch for it in March. Unfortunately, users who did not get the patch became WanaCrypt0r Ransomware’s targets. The malicious program may not be distributed any more, but it is still important to get rid of the mentioned vulnerability in case of future attacks, so if you did not update the system yet, we would recommend doing this at once.WanaCrypt0r Ransomware Removal GuideWanaCrypt0r Ransomware screenshot
Scroll down for full removal instructions

What happens when WanaCrypt0r Ransomware infects the system? At first, it should copy itself into the C:\Windows and C:\ProgramData\{randomly named folder} directories. Then the malware should be ready to begin the encryption process. During it, the worm should look for photos, documents, archives, or other data that could be important or irreplaceable. By enciphering the most valuable files, the malicious application’s creators are most likely hoping the victim would have no other choice but to pay. Lucky users are the ones who prepared for such disaster by placing copies of their most essential data on external hard drives, flash drives, or other storages. If you did not think about it before, we would advise you to consider such safety precaution in the future as it might save you from trouble in situations when you encounter malware this damaging as WanaCrypt0r Ransomware or other similar threats.

Right after encrypting the targeted files, the infection should open a pop-up window. If the user closes it the pop-up can be opened again by launching @WanaDecryptor@.exe files; they should be scattered in all directories with enciphered data. According to the pop-up, the user has only one choice, which is to pay the ransom in in seven days. Obviously, that is not true as you can choose not to fund these cyber criminals and erase the malware instead. If you decide to do so, we advise you to acquire a reputable antimalware tool and leave the deletion task to it since WanaCrypt0r Ransomware is a dangerous threat. On the other hand, if you determined to erase it manually and you are confident you will manage to eliminate it on your own, you could use the removal guide placed below the article as it can guide you through the process.

Get rid of WanaCrypt0r Ransomware

  1. Make sure you close the malware’s pop-up window.
  2. Then press Windows Key+E.
  3. Check the following paths:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  4. Find a malicious file; it should have been downloaded the day the system got infected.
  5. Select the suspected file and press Shift+Delete to erase it permanently.
  6. Look for the given location: C:\Windows
  7. Find tasksche.exe, select the executable file and press Shift+Delete.
  8. Navigate to: C:\ProgramData\{randomly named folder}
  9. See if there is another file titled as tasksche.exe.
  10. In case the folder contains tasksche.exe select the whole folder and press Shift+Delete.
  11. Select all @WanaDecryptor@.exe and @Please_Read_Me@.txt files one by one and press Shift+Delete to remove them permanently.
  12. Exit the Explorer.
  13. Restart the system.

In non-techie terms:

WanaCrypt0r Ransomware is a recently created worm which is capable of encrypting user’s files with a strong cryptosystem. As a result, once the device is infected most of the private data should become unusable. The malware’s creators demand to pay a ransom for decryption tools, but we would advise you not to believe their promises as there is not knowing whether the decryption would be successful. Meaning, in the worst case scenario you could end up with no personal data on the computer and an emptier wallet. If you do not think you want to take these chances we encourage you to use the removal guide placed above or employ a reputable antimalware tool and get rid of the infection once and for all.