Infected with WannaCash ransomware? Need to decrypt your files?
What is WannaCash ransomware
Lately, more and more users have been complaining that their file is infected with WannaCash. This is another crypto ransomware, which encrypts the user’s data, in particular, png, jpg, doc, xls, pdf, mp3, avi, rar, and many other files that are most valuable for the average user. The encryptor encrypts these files using the AES algorithm and changes their extension using the following scheme: encrypted(file_name.file_extension).
Let’s look at some examples of encrypted files:
encrypted(sunsetphoto.png)
encrypted(msword.doc)
encrypted(statement.xls)
In fact, the cryptovirus only adds the new prefix and puts the filename in quotes. Be that as it may, encrypted files become unusable. It is worth noting that the main purpose of scammers is to earn money, so they “carefully” leave a note containing information about the ransom:
note text:
WannaCash
Система
ЯД кошелек [410017171730353] | Сумма: 4999
------
Работа Windows 7 Home Basic приостановленна
Запрещен доступ ко всем файлам и дискам. Отключены горячие клавиши и рабочий стол.
Все размещенные файлы на дисках следующих расширений были зашифрованы симметричным алгоритмом блочного шифрования AES 256bit
.doc .docx .xls .xlsx .xlst .ppt .pptx .rtf .pub .pps .ppsm .pot .pages .indd .odt .ods .pdf .zip .rar .7z .jpg .png .mp4 .mov .avi .mpeg .flv .psd .psb
Блокировка не окончательна, может быть снята.
Примечание:
Восстановление, переустановка windows ни к чему не приведет. При попытке удалить или нарушить работу программы вы рискуете остаться с поврежденными файлами.
Translated version:
WannaCash
System
Yandex Wallet [410017171730353] | Amount: 4999
------
Working of Windows 7 Home Basic is suspended
Access to all files and disks is forbidden. Hotkeys and desktop are disabled.
All files of the following extensions placed on disks were encrypted with a symmetric block cipher algorithm AES 256bit
.doc .docx .xls .xlsx .xlst .ppt .pptx .rtf .pub .pps .ppsm .pot .pages .indd .odt .ods .pdf .zip .rar .7z .jpg .png .mp4 .mov .avi .mpeg .flv .psd .psb
Blocking is not final and can be removed.
Note:
Restoring, reinstalling windows will lead to nothing. When you try to remove or disrupt the program, you will risk remaining with corrupted files.
From the content of the note it becomes clear that WannaCash is aimed at Russian-speaking users, but the cryptovirus has spread throughout the world, and its greatest activity was at the end of July this year. Fraudsters insist on paying a ransom of 4,999 rubles, which equals approximately $ 60 to $ 90. Pay attention to the fact that the attackers indicate the account of the virtual wallet to avoid criminal prosecution. Of course, many users want to get their files as soon as possible and are afraid of losing their data, so they are ready to pay any money. Do not pay, this is cheating. Try to remove WannaCash and decrypt your files using our recommendations.
Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: submit@securitystronghold.com. We really can help to decrypt your files.
How WannaCash ransomware infected your PC
Before deconstructing possible ways of penetrating WannaCash, let’s look at ways to prevent PC infection. Undoubtedly, the main rule is to use antiviruses and other programs that can nullify the possible leakage of unwanted programs and viruses. However, most users use free versions of antivirus software or do not use them at all, thereby opening the possibility of penetration through unprotected network settings. Moreover, cryptoviruses, in particular WannaCash, can come in the form of an attachment to spam mailing or as an update for software installed on your system. The conclusion is only one – use paid versions of reliable antiviruses. If WannaCash has already encrypted your files, then use our recommendations.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the WannaCash ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Recommended Solution:
Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to WannaCash ransomware – files, folders, registry keys.
*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.
You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows
Restore your files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Step 2: Remove following files and folders of WannaCash ransomware:
Related connections or other entries:
No information
Related files:
WannaCash.exe
How to decrypt files infected by WannaCash ransomware?
You can try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although latest versions of WannaCash ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Written by Rami Douafi