Wana Decrypt0r 2.0, a new and dangerous ransomware spreading world wide with speed of light

Wana Decrypt0r 2.0, a new and dangerous ransomware spreading world wide with speed of light
4.8 (96%) 100 votes
Wana Decrypt0r Recovery Removing traces of Wana Decrypt0r ransomware

What is Wana Decrypt0r 2.0?

On 12th May 2017 a Wana Decrypt0r 2.0 (Wanna Decryptor 2.0) infected 79 countries from all over the world! Crazy numbers, we`ve looked deeper in this question and found out that most of infected computers located in Russia and Taiwan. The extent of infection is abnormal, which made Wana Decrypt0r the most dangerous ransomware infection.

By itself Wana Decryptor is a typical ransomware infection that encrypts the information on your computer. But what makes this ransomware so effetive in spreading? It uses a vulnurability in Windows Operating Systems of SMBv1. The most interesting it`s that this exploit was fixed before that by Microsoft in March 2017. Windows PCs without lates updates were the most vulnurable to the Wana Decrypt0r ransomware. This exploit allows this ransomware use access to shared directories on opened port 445 and automaticaly infect computer without user even do anything. After the infection of one computer, it spread further by local network and infect all vulnurable systems. Real destructive behavior we can see here.

remove Wana Decrypt0r ransomware

Wana Decrypt0r

Detailed information on Wana Decrypt0r 2.0:

As we said before, Wana Decrypt0r is a typical ransomware. It uses weaknes on SMBv1 protocol of Windows OS to spread rapidly and encrypts your files. But this is not the only way of spreading. Along with the exploit, this ransomware uses old ways of fake email with attached Word documents. Doesn`t matter if the vulnurability was coveren in the system, manual infecting with Wana Decrypt0r 2.0 is still possible, which is why if you haven`t been touched with Wana Decrypt0r 2.0, you better stay away from suspicious emails.

Once Wana Decrypt0r 2.0 infects the computer, it starts the encryption process. The installer of this ransomware will extract a file in the same folder. Turns out, that this files is a protected with password zip archive that contains various files that are used by the Wana Decrypt0r. The loader start to execute these files and chackes the language of the system in order to chose the correct language for the ransom note. Here is the list of languages (not full):

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

After that Wana Decrypt0r performs various actions covered from user in order to start the encryption process. It downloads a TOR client to securely communicate with its servers. Then it changes the permission for folder and subfolders with next command: icacls . /grant Everyone:F /T /C /Q

That it, Wana Decrypt0r is ready for the encryption of files on your computer. Here is the list of file extension that are vulnurable to this ransomware:

.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The encrypted file will be renamed by Wana Decrypt0r. It will add a .WNCRY extension at the end of the file in order too mark the encrypted files. In each folder with encrypted files Wana Decrypt0r will place a ransomware note with name @Please_Read_Me@.txt. Also, it changes the destop wallpaper.

Finnaly, to make it impossible to recover your Windows from a shadow copy, Wana Decrypt0r removes them with the next command: C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

How to recover from Wana Decrypt0r 2.0 ransomware infection:

We may have a little hope for you, so don`t start to panic to soon. There has been reports from some users with hard drives full of data on 1TB and 2TB that are saying that the encryption process on their system was very fast. A smal reaserch showed that the Wana Decrypt0r falied to start for some reason and just changed the properties of the “encrypted” files. To return these files users just had to resave them, after that they could be opened safely. But don`t get your hopes to much though, chanses are slim.

Here is the Microsoft patch again – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

If you were infected with this ransomware, try to follow our guide below, it cannot guarantie the return of the files, but it will remove the infection.

UPDATE:The spread of the Wana Decrypt0r ransomware has been temporarily stopped after security researcher MalwareTech has registered a hardcoded domain included in the ransomware’s source code. Wana Decrypt0r connected to this domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) before it started its execution. The check was strange. The ransomware checked if the domain was unregistered, and if it was, it would execute. If it wasn’t, it would stop spreading, acting like a kill switch. With MalwareTech registering the domain, the ransomware now does not start anymore.

Quick Menu:

STEP 1. Wana Decrypt0r recovery guide

Ransomware is a very dangerous kind of infection that evolves every day, making it harder to recover your files from encryption. Developers are removing all shadow copies of your standard windows recovery tools and you simply have no backups anymore.

With time, ransomware infection has learned to remove all backups of your system in order to make impossible the recovery of your files.

Please Note: It is still possible that some ransomware can’t remove backups in your system and you will be able to recover your information with use of simple Windows Recovery tools by following instructions below:

To make the recovery process more reliable, you need to boot your computer in Safe Mode with command prompt.

  • For Windows 7: You need to reboot your system and before its loaded constantly press “F8” button until you see boot options.

    Wana Decrypt0r remove
  • For Windows 8/10: Press the “Power” button from Windows login screen or Settings. Hold the Shift key on your keyboard and click on “Restart
    Wana Decrypt0r remove
  • After your computer reboots – Click on “Troubleshoot” – press “Advanced options” – “Startup Settings
    Wana Decrypt0r remove
  • Click the “Restart” button and your computer will reload again and show you the list with all options. You need to choose the “Safe Mode with Command Prompt
    Wana Decrypt0r remove
  • When your windows loads, enter the following line: cd restore and press Enter.
    Wana Decrypt0r remove
  • After that type rstrui.exe line and press Enter.
    Wana Decrypt0r remove
  • A recovery window will open before you, Click Next to proceed.
    Wana Decrypt0r remove
  • In the next window, you need to choose a Restore point. All files in protected drives will be recovered at the time when this point was created (prior to the infection with Wana Decrypt0r). In the case when ransomware removes these backups, there will be no Restore points listed. Select a Restore point and click “Next”.
    Wana Decrypt0r remove
  • Click “Finish” in this window and confirm the recovery process by pressing “Yes“.
    Wana Decrypt0r remove

Here is a video example of the recovery process:

STEP 2. Removing traces of Wana Decrypt0r ransomware

Once the recovery process is complete, you should consider scanning your computer with a GridinSoft Anti-Malware in order to find any traces of Wana Decrypt0r infection. Though some ransomware viruses are removing themselves right after the encryption of your files, some may leave malicious processes on your computer for special purposes of cyber criminals.

Download GridinSoft Anti-Malware protection from the link below:

Wana Decrypt0r

Example of scanning process of GridinSoft Anti-Malware:

Use of On-run protection may additionaly prevent different types of cyber attacks, our protect may flag the downloader of the ransomware as a malicious application preventing the download of Wana Decrypt0r.

GridinSoft Anti-Malware Wana Decrypt0r protection

STEP 3. Prevent the Wana Decrypt0r ransomware infection with GridinSoft Anti-Ransomware

Here is the Microsoft patch again, in case you skiped it in the first part of the article – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Though ransomware is able to remove shadow copies of your OS, our product GridinSoft Anti-Ransomware is able to protect them from the removing in the first place. When some kind of a malicious program or ransomware virus tries to delete your backups, out program intercepts this request and blocks the sending process.
Note: that the product is still in Beta testing phase, some bugs and glitches are possible.
Besides the protection tool, you should read and learn few simple rules. Follow them every time you work on your computer and your will decrease chances of your infection to a minimum:

  • Don’t open suspicious spam letters. No way. Be very careful with your downloads. Download and install software preferably from its official website.
  • Do backups of your important files regularly. Storing your really important files in few different places is a good decision.
  • Keep your system free from adware, hijackers, and PUPs The infected computer will be more likely compromised with other malicious software, and ransomware is not an exception in this case.
  • Don’t panic and be reasonable. Don’t pay the ransom fee right after you got infected, it is always best to search on the internet for some answers. It is possible that someone has developed a decryption tool that might help you.

Leave comments

Leave your comments and questions below to help us and other users to improve this guide, or use our ticket system to make contact with our professional support team. We will gladly help you!