WannaPeace Ransomware Removal Guide

Do you know what WannaPeace Ransomware is?

If your files are marked with _enc. extension, your computer is most likely infected with WannaPeace Ransomware. The reason such data can no longer be used is that the malware enciphers it with a strong cryptosystem. Apparently, the malicious program is designed to act this way so its creators could extort money from those who receive the infection. As you see the cyber criminals might have a decryption tool that could decipher all data and so they use this leverage to convince the users to make the payment. The bad news is there are no guarantees when dealing with cyber criminals, which means if they take your money and do not provide the decryption tool you will not be able to do anything about it. Thus, instead of gambling with your savings, we advise you to ignore the hackers and get rid of this malware. To help you delete WannaPeace Ransomware faster, we will be placing a removal guide at the end of this page. Users who wish to know more about the threat or what they could do to restore data on their own should finish reading this report.

The malicious application might be still in the development stage, which means it may not yet be spread among computer users. However, if it would be, we should say it could find its victims with the help of Spam emails, questionable file-sharing web pages, harmful websites, and so on. The WannaPeace Ransomware‘s launcher might look like a picture, a text document, a software installer, an update, etc. In other words, the infection could disguise itself to trick you into downloading and launching it. Knowing cyber criminals use such methods daily, we always recommend our readers to be cautious when they download or receive suspicious data. Inexperienced users who have never encountered threats like ransomware could open the described files without a second thought when what they actually should do is check it with a reputable antimalware tool or at least take a moment to investigate it.

Some of you may wonder what exactly happens when the malware’s installer is launched. Our computer security specialists report the threat should firstly encrypt user’s data, for example, photographs, images, various documents, archives, videos, and so on. It appears to be all of this data might be marked with a specific extension. What is a bit strange that this extension is added not at the end of the encrypted file’s original extension but between it and the file’s name. To provide you with an example, a picture called clouds.jpg would look like clouds_enc.jpg. Right after WannaPeace Ransomware finishes encrypting and marking your data, it should open a window displaying the ransom note. Plus, it may create a text document with a shorter message in the %PROGRAMFILES% directory.

Furthermore, it is worth mentioning the ransom note might be written just in Portuguese, which makes us assume the malicious application could be distributed only among Portuguese-speaking users. In it, WannaPeace Ransomware’s creators might talk about how they ask money not for themselves, but for war victims. It would not surprise us if this message was carefully created to make the user more sympathetic and willing to pay for a good cause. What does surprise us a bit is the amount of money they are asking to pay. They call it a “small contribution,” but 1.414 US dollars does not look like a small amount of money to us. This is how much 0.08 Bitcoins cost at the moment we are writing this report.

Provided, you do not feel like paying 1.414 US dollars to cyber criminals who may not even help you decrypt your data, we encourage you to ignore the ransom note and concentrate on the malicious application's removal. Afterward, if you have any copies on removable hard drives, flash drives, or other storages, you could replace encrypted files with them. As we promised in the first paragraph, the removal guide below the text will show you how to erase WannaPeace Ransomware manually, but if it looks too complicated for you do not hesitate to employ a reputable antimalware tool instead.

Erase WannaPeace Ransomware

  1. Press Ctrl+Alt+Delete simultaneously.
  2. Pick Task Manager.
  3. Take a look at the Processes tab.
  4. Locate a process belonging to the malicious program.
  5. Select this process and press the End Task button.
  6. Click Windows Key+E.
  7. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  8. Search for a file that got the computer infected.
  9. Right-click the malicious file and select Delete.
  10. Then go to %PROGRAMFILES% and delete drivers.txt.
  11. Leave File Explorer.
  12. Restart the computer.

In non-techie terms:

WannaPeace Ransomware is one of the malicious applications designed to encrypt victim’s data and ask for ransom in exchange for its decryption. However, nothing is as simple as it may sound because even if you are willing to pay the ransom, there is not knowing whether the cyber criminals who created this threat will be willing to send you the promised decryption tool. This is why our computer security specialists advise not to take any risks especially when the asked sum is this large (currently around 1.414 US dollars). What we recommend instead is erasing the malicious application and recovering encrypted data from copies you could have on cloud storage, removable media devices, etc. To learn how to get rid of the infection manually, you could follow the removal guide available above.