What is WannaSmile Ransomware

If your files have been suddenly altered with the .wannasmile extension (for example, 1.pdf.wannasmile) and you are now shown a ransom-demanding message in the pop-up window, then you are likely dealing with WannaSmile Ransomware. Although there is not enough justification for this, WannaSmile could be a new version of another identically named ransomware from 2017 (by Iranian developers), which assigned the .WSmile extension. In general, such malware is typically designed to render data inaccessible (by running encryption) and then extort money from victims for its decryption.

pop-up window textHow to decrypt files.html (Iranian version from 2017)How to decrypt files.html (translated to English)
Ooops, your files have been encrypted!
What Happened to My Computer?
Your important files are encrypted.Many of your documents, photos, videos, databases and other flies are no longer accessible because they have been encrypted. Maybe you are busy looking fora way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. Don't try to guess the password, its a strong one and even if you try to bruteforce it you will spend more money and resources guessing it, rather then paying to us.
To recover your files you will need to enter a secret key in the Key box and press Decrypt button.
How do I get the decrypt key?
To get your decrypt key you must send an payment of bitcoin of 100$ worth to the bitcoin adress you see below. Also include text id in the bitcoin transaction. You can find it one the left at Text ID field. After you sent payment, send an email to the adress below with same textid you attached to bitcoin transaction, its very important, only the textid can proove you send the transaction. The decryption key will be send to you to the same email, if no other email is included in the mail message.
Good look and hf ;)
Send $100 Worth of Bitcoin to the address below
سیستم شما به ویروس و باج افزارWannaSmile آلوده شده است؛ تمامی فایل های مهم شما از جمله دیتابیس ها
فایل های بک آپ و ... توسط الگوریتم های پیچیده رمزنگاری شده است؛
بنابراین شما امکان دسترسی به فایل ها را نخواهید داشت زیرا الگوریتم رمزنگاری مورد نظر تنها توسط ما قابل رمزگشایی
درصورتیکه طی مدت حداکثر 5 روز پس از آلوده شدن مبلغ مورد نظر به حساب بیت کوین ما واریز نشود، روزانه مبلغ 1 بیت کوین به مبلغ اصلی (20 بیت کوین) اضافه میگردد.
تو ی باشد. شما می بایست برای رمزگشایی فایلهای خود مبلغ 20 بیت کوین را به آدرس زیر ارسال کنید:
و به محض پرداخت موفقیت آ 05;یز بیت کوین حتما از طریق ایمیل wannasmile@tuta.io به ما اعلام کنید تا یک فایل برای شما ارسال گردد که توسط آن می توانید کل فایل ها و سیستم های آلوده را به حالت اولیه باز گردانید.
جهت خرید بیت کوین می توانید از طریق یکی از صرافی های زیر اقدام نمایید
www.exchanging ir
Your system is infected with WannaSmile virus and ransomware; All your important files including databases
Backup files and... are encrypted by complex algorithms;
Therefore, you will not be able to access the files because the desired encryption algorithm can only be decrypted by us
If the desired amount is not deposited into our Bitcoin account within a maximum of 5 days after contamination, 1 Bitcoin will be added to the original amount (20 Bitcoins) daily.
be you You need to send 20 bitcoins to the following address to decrypt your files:
And as soon as you successfully pay Bitcoin, be sure to notify us by email at wannasmile@tuta.io so that a file will be sent to you by which you can restore all infected files and systems to their original state.
You can buy bitcoins through one of the following exchanges
www.exchanging ir

Extortionists behind WannaSmile demand their victims to pay 100$ in BTC in order to obtain a secret decryption key and paste it into a field in the pop-up window. Please note that files blocked by WannaSmile Ransomware can be decrypted using the last row of random characters in a file called data.wnns (in the %APPDATA% folder). Users can copy this key and paste it into the pop-up window to get their files decrypted for free, without paying the cybercriminals. This vulnerability is present at the moment of writing this article, however, not excluded that it may be removed in an updated version(s) of ransomware if such will be released in the future. After decrypting your data, it is then important to delete the ransomware from your computer to not let it run malicious activity on your PC in the future again.

data wnns-decryption key

As a rule, many ransomware infections leave users with no option, but to pay cybercriminals or recover data only from backup (if such is available). This is because many file encryptors use strong encryption algorithms and store decryption keys on protected servers. Even third-party are often useless and may be effective in only rarer cases. This is why it is important to make regular backups of data to be able to recover from copies in case of such a necessity. The WannaSmile version that we discussed above is a rare and lucky exception allowing victims to recover their data for free. It is also worth mentioning that purchasing decryption software/key from threat actors is not recommended – some end up fooling their victims and not giving any promised decryption tools eventually.

As mentioned above, once you restore access to encrypted files with the decryption key, it is important to remove WannaSmile Ransomware so that it does not encrypt more of your data in future usage. Read our guide below to do it. In addition, we also attached information about reputable third-party recovery tools/decryptors that may sometimes help return files in case of other ransomware attacks.

How WannaSmile Ransomware infected your computer

Ransomware is known to take over systems via phishing e-mail letters, unprotected RDP configuration, infected software installers (pirated or cracked), exploit kits, trojans, fake updates/license cracking tools, unreliable ads, backdoors, keyloggers, and other dubious channels.

Most distribution channels pursue the goal of making a user download and open some malicious file or link. Such a technique can be seen in fake email letters in which cybercriminals camouflage bundled attachments under legitimate files (.DOCX, .XLSX, .PDF, .EXE, .ZIP, .RAR, or .JS). By impersonating reputable companies (e.g., delivery companies, tax authorities, banks, and so forth), such emails increase their chance of successfully tricking inexperienced users into clicking harmful links or downloading malware.

Therefore, always approach such content with a respected level of caution. Stay away from interacting with dubious download sources, torrent-sharing pages, suspicious ads, potentially malicious attachments/links, and other kinds of potentially compromised content. Download software only from official resources to prevent drive-by (stealth) installations of malware. Read our guide below for more information on protecting against ransomware and other kinds of malware in the future.

  1. Download WannaSmile Ransomware Removal Tool
  2. Get decryption tool for .wannasmile files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like WannaSmile Ransomware

Download Removal Tool

Download Removal Tool

To remove WannaSmile Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of WannaSmile Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Alternative Removal Tool

Download Norton Antivirus

To remove WannaSmile Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of WannaSmile Ransomware and prevents future infections by similar viruses.

WannaSmile Ransomware files:


WannaSmile Ransomware registry keys:

no information

How to decrypt and restore .wannasmile files

Use automated decryptors

Download Kaspersky RakhniDecryptor

kaspersky dharma ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .wannasmile files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .wannasmile files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with WannaSmile Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .wannasmile files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like WannaSmile Ransomware , in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. WannaSmile Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to stop “Someone Matched With You On Tinder!” e-mail spam
Next articleHow to remove Goba Ransomware and decrypt .goba files