Recently the WannaCry ransomware attack wreaked havoc across the globe and hit more than 200,000 victims across 150 countries. It spread rapidly on Friday, May 12, 2017 by exploiting a vulnerability contained in the NSA leak. Many unpatched Windows systems were infected with this malware and users’ files were encrypted and became inaccessible. This post gives a brief instruction of the ransomware and provides the method of removing WannaCry ransomware and several tips to prevent the ransomware.
What is WannaCry Ransomware?
|Threat Name||WannaCry Ransomware, WannaCrypt, WNCRY, WannaCryptor or Wana Decryptor|
|Affected countries||150 countries around the world, mostly in Russia.|
|Affected systems||Windows operating systems|
|Behaviors||Encrypt files with the extension “.WCRY” added to the filenames.;Demand a ransom payment to get files back.|
|Distribution Methods||Spread via spam email messages that contain a corrupted file attachment,Exploit a remote code execution vulnerability called “EternalBlue” (aka MS17-010)|
|Removal Solution||Some regular antivirus programs may fail to detect WannaCry Ransomware, so it is highly recommended that you use a specialized tool to find and delete all files related to this threat.|
The WannaCry Ransomware, also called WannaCrypt, WNCRY, WannaCryptor or Wana Decryptor, is a malicious piece of software that encrypts your files and demands a ransom of $300 worth of bitcoin. On Friday, the ransomware infected UK hospitals, a Spanish telecom company, and companies in various other sectors and its spreading was stopped on Friday afternoon when a security researcher registered a domain. However, this is a temporary fix. Over Friday and Saturday, the ransomware evolved to be a patched (non recompiled) variant with *NO* kill-switch and it has hit about 200,000 computers in over 150 countries. Unlike other ransomware, such as PEC 2017 Ransomware, Cry128 Ransomware and AES-NI Ransomware, this ransomware use only four hardcoded bitcoin addresses in the malware. This will result in the payments problem and also allow the security community and law enforcement to track any attempt to anonymously cash out WannaCry profits easily.
The ransomware targets Windows operating systems, especially older Windows operating systems including Windows XP, Windows 8 and Windows Server 2003. If you are running legacy operating systems such as Windows XP, it’s easy for your PC to be infected with the ransomware when it is connected to the Internet if it hasn’t had the patch that patched the relevant security issues for modern machines in March provided by Microsoft. You can find the free patch provided by Microsoft for Windows XP, Windows 8, and Windows Server 2003 from here. In addition to the known vulnerability, the ransomware can also be distributed via spam emails with malicious attachments or links contained.
The infographic below shows how the ransomware infects the PC and encrypts the files:
Once installed, the ransomware will start to scan and encrypt your files and also drops and executes a decryptor tool. When you open the tool dropped by it, the messages as showed in the screenshot below will be displayed:
The window of the tool is titled ‘Wana Decrypt0r 2.0’. The texts in it tell you what happened to your PC and how you can recover the files. To get the encrypted files back, you need to send $600 in bitcoin to an address provided out there in 3 days. But the first five payments to that wallet is approximately $300 USD, as the ransomware. If the payment is not received in 7 days, your files will be lost forever. The messages of the ransom note can be translated into different languages as the ransomware targets various countries around the world.
The ransomware targets files with the following extensions:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc
Generally, the commonly used office file extensions, such as .doc and .docx, and images file like .jpg and .jpeg are inevitably encrypted. It’s reported that many schools in China suffer from this malware and their students’ PCs are targeted and the files like graduation thesis are locked. They have to pay the ransom if they don’t have backups of important data to get the encrypted files back.
The ransomware also changes your wallpaper to the image as showed below in case you have no idea how to do next when you find the files are encrypted:
What if your computer is infected with WannaCry Ransomware?
To be frankly, it is not suggested that you pay the ransom if your files are encrypted by the ransomware. As mentioned in this post, the cybersecurity community has marveled at the inexplicable errors the WannaCry Ransomware’s authors have made. The errors include building in a web-based “kill-switch” that can be stopped spreading easily, inexperienced handling of bitcoin payments and even a shoddy ransom function in the malware itself. Since the ransomware provides only one of four hardcoded bitcoin addresses, it’s difficult for the criminals to figure out which computer to decrypt as ransoms come in. The setup will inevitably lead to the criminals failing to decrypt computers even after payment. It means that even if you have sent the payment, the cybercriminals may not decrypt the files for you.
When you find the PC is infected with this ransomware, what you need to do first is to remove the malware immediately to prevent it from encrypting more other further files and restore the backups if you have. The guide below shows you how to remove the threat.
WannaCry Ransomware removal guide
SpyHunter is an advanced and professional anti-malware program that is able to find and remove all the traces of WannaCry Ransomware as well as other threats on your PC entirely. With industry-leading technology, it can scan the system for malware including Trojans, worms, rootkits, spyware and potentially unwanted programs that may harm the system and clear them thoroughly. If your PC is unfortunately attacked by the ransomware, try SpyHunter to remove it.
To do that,
Click on the button below to download SpyHunter to your PC.
Once the file is downloaded, you can run spyhunter-installer.exe to start the installation.
Click Finish when the setup is successful. SpyHunter is now installed on your computer.
Usually, the tool will automatically scan your system after the installation is successful. To effectively scan and clear the infections, you need to check the version of the product version and the DB version and make sure they have been updated to the latest versions. To quickly scan the system, close all running programs and files before scanning.
Then click on Scan Computer Now button to start scanning your system for the infections.
SpyHunter starts to scan the system files, drivers, registry keys and other data. This may take you several minutes or longer.
When the scanning is completed, WannaCry Ransomware and other threats will be displayed in the scan results. SpyHunter shows brief info of the threats and lists all the traces of them. Click on Fix Threats button to clear all the threats detected on your PC. Make sure that you have purchased the full version of SpyHunter.
You may need to restart the computer after the Ransomware and other threats have been removed.
Method that you can try to recover the encrypted files:
Sometimes the encrypted files can be restored through Shadow Volume Copies if you are lucky enough. Usually, File-encrypting ransomware will start to delete Shadow Volume Copies once installed. But sometimes the locky ransomware fails to remove them in a few cases due to various unknown reasons. Therefore, if your PC is attacked by this ransomware and you don’t have a backup of the files, try restoring encrypted files from Shadow Volume Copies since some shadow copies may luckily escape the deletion and still can be restored by ShadowExplorer.
Try using ShadowExplorer to restore them.
Here is there guide on how to restore the files with ShadowExplorer.
Alternatively, try using Windows Previous Versions feature.
Please note that this method only works on an infected operating system that has the System Restore function enabled. But this may not work on all computers. Have a try on the infected files and see if this makes sense.
Right click on the encrypted file, select Properties, and select the Previous Versions tab. If there is a restore point available, select it and click on Restore button.
How to protect your PC from WannaCry Ransomware?
Usually, anti-malware programs fail to decrypt the files encrypted files even if they have found and delete the malware. You won’t be able to restore your personal files if your computer is attacked by this encrypting ransomware but you have no backups. Thus, here are several suggestions on how to protect your computer from the malware.
First of all, patch your Windows operating systems and make sure they have all the latest updates downloaded and installed. Since Windows XP or Server 2003 have lost official support outside of special contracts, it’s easy for them to be attacked by cybercriminals exploiting vulnerabilities.
Next, always remember to make a backup of your files, especially the important ones. Many people don’t make backups regularly so when their machines are attacked by ransomware, it’s impossible for them to restore the files and have to pay the ransom so as to recover the very important data. Cybercriminals utilize this and make profits.
Next, don’t click on suspicious attachments or links in spam emails sent by strangers. Malware can be spread via spam emails. Spam emails is one of the most common ways used by cybercriminals to spread the infections.
Finally, keep advanced anti-malware software on the PC. It’s necessary to install a virus scanner with the latest definitions on the system to safeguard the Pc against all types of malware. The security tools can inform you of changes made by virus and help you detect and remove them automatically.