What is WannaCry Ransomware
WannaCry (also referred to as Wcry, Wana Decrypt0r 2.0, WanaDecryptor, and WNCRY virus) is a ransomware infection that encrypts personal files using AES-128 algorithms and demands victims to pay for decryption. The virus was discovered by a security researcher S!Ri and there are a couple of known WannaCry variants. Depending on which variant attacked the system, files affected by encryption will be altered using the
WNCRYT (for encrypted .bmp files). For instance, a file like
1.pdf will change to
1.pdf.wcry or similarly depending on the ransomware version. Following this, the virus displays decryption instructions in a force-opened pop-up window. One of the variants changes the desktop wallpapers as well. The Wana Decrypt0r 2.0 variant also creates a separate ransom-demanding note called @Please_Read_Me@.txt.
Your files have been safely encrypted!
Most of your files are encrypted with strong AES-128 ciphers.
To decrypt files you need to obtain the private keys, and it is the only possible way.
To obtain the keys you should pay with bitcoin.
The cost will double by the specified time.
1. Send 0.1 BTC to 1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ You will be able to download the private key within 12 hours.
2. How to DECRYPT your files
1) Click “Start Decrypt”.
2) First, you should send a download request with your Bitcoin wallet address. (Important: You must know your actual wallet address from where your payment be sent.)
4) After 5~6 hours you will have the key and can decrypt your files. Go!
5) That’s all.
3. About Bitcoin
1) For more information about bitcoin, please visit hxxps://en.wikipedia.org/wiki/Bitcoin
2) Here are our recommendations to purchase bitcoins: -
Any attempt to corrupt or remove this software will result in immediate elimination of the private keys by the server.
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.
How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.
If you need our assistance, send a message by clicking .
We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking on the decryptor window.
Despite the text of instructions and its visual appearance vary in different WannaCry variants, their essence is more-less the same. Overall, cybercriminals claim they are the only figures able to recover access to data. In order to do so, victims are demanded to pay a certain fee in Bitcoin cryptocurrency to extortionists. Unless victims send the payment within the displayed countdown (usually 3 days), the price for decryption will double and it will cost twice more of the original price. If victims fail to pay within 7 days, the decryption key will be erased and victims will no longer be able to recover their files with the help of the swindlers. Additionally, some WannaCry variants offer to test decryption by sending some encrypted files and getting them unlocked for free. All of these techniques are meant to intimidate/accommodate victims and therefore make them agree to pay the ransom.
As a rule, decryption without the help of cybercriminals is almost impossible when it comes to the majority of ransomware infections. The only free recovery method for victims is usually to use their own backup copies if such are available. However, the good news is that there is actually a third-party decryptor that can be downloaded and used for free decryption – independent of the threat actors. The tool was released in 2017 (the time when WannaCry Ransomware was active the most) on GitHub by Adrien Guinet (tested to work on Windows XP, 7 x86, 2003, Vista and Windows Server 2008). Instructions on how to use it are available on the website, however, you can also check out this video for a better understanding.
Please note that this tool does not have a 100% success rate of decryption. There are cases when it fails. However, if you can neither afford to pay the attackers nor there are any available backups to use, then it is definitely worth giving a try to this tool. After decrypting your files, remember to delete WannaCry Ransomware from your system. Note that WannaCry is also known to sometimes deliver additional malware into the system (such as DOUBLEPULSAR malware). Thus, it is important to not only delete the ransomware but also thoroughly scan it for additional malware. You can follow our guide below to do so. In addition, we also attached information about other general decryption/recovery methods that can sometimes be effective as well.
How WannaCry Ransomware infected your computer
Initially, WannaCry Ransomware succeeded in mass distribution thanks to an NSA vulnerability called EternalBlue in 2017. Cybercriminals exploited this vulnerability in the SMBv1 protocol to get a foothold on vulnerable machines connected online. Although this vulnerability no longer exists, this and other ransomware infecti can still be distributed using other methods as well. Such may include e-mail spam letters, trojans, deceptive third-party downloads, fake software updates/installers, backdoors, keyloggers, botnets, other system exploits, and so forth. Many inexperienced users are fooled into interacting with some malicious content. For instance, ransomware or trojan developers quite often send e-mail letters that are disguised as legitimate companies/entities (e.g., delivery companies, tax authorities, banks, and so forth).
As a rule, such letters use phishing techniques to make users open some phishing link or malicious attachment (.DOCX, .XLSX, .PDF, .EXE, .ZIP, .RAR, or .JS extensions). Once such attachments are opened, the hidden infection will most likely end up installed on the targeted system unless there is special anti-malware software in place. Do not trust such letters and delete them immediately if there is anything that looks suspicious in them. You should also download software only from trustworthy and legitimate websites. Avoid downloading torrents and other files that endorse installers of pirated, cracked, or other illegally distributed software. Read our article below to learn more practical information about how to protect yourself against such and similar threats in the future.
- Download WannaCry Ransomware Removal Tool
- Get decryption tool for .wncry files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like WannaCry Ransomware
Download Removal Tool
To remove WannaCry Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of WannaCry Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove WannaCry Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of WannaCry Ransomware and prevents future infections by similar viruses.
WannaCry Ransomware files:
WannaCry Ransomware registry keys:
How to decrypt and restore .wncry files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .wncry files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .wncry files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with WannaCry Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .wncry files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like WannaCry Ransomware , in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. WannaCry Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.