What is WannaPeace ransomware? And how does it implement its attack?
WannaPeace ransomware is a new file-encrypting virus that mostly targets Portugues-speaking users based on its ransom note. Like most ransomware infection, it aims to encrypt files on infected computers to extort money from its victims. It infiltrates the system using a malicious executable file named RzW.exe which started spreading in the last week of November this year according to researchers. Once it infects system, it looks for files to encrypt. Some of these targeted file formats are listed below:
.PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG
Once it finds all the files it’s been looking for, it will begin its encryption using the AES cryptography to corrupt the targeted files. It appends the _enc which is adjunct between the initial file name and its extension (file name_enc.file extension). After the encryption process, the encrypted files will obviously no longer be accessible and victims will see a ransom note which appears on the desktop of their PCs stating:
“@AnonymousBr – WannaPeace
Sorry, your files have been encrypted! Please accept us as Anonymous, and only Anonymous. We are an idea which cannot be contained, persecuted or imprisoned.
Thousands of people are now abandoned, injured, hungry and suffering. All as victims of war, which is not even theirs! Unfortunately, only words will not change the position of these people.
We do NOT want your files to be damaged. We just want a small financial contribution. Remember, by making a donation you will not only recover your files but help restore the dignity of these victims as well.”
If you happen to be one of the victims of WannaPeace ransomware, know that the crooks behind this crypto-malware are only trying to swindle money from you in the guise of helping the victims of war. So you shouldn’t waste your time within negotiating with these crooks and must remove the ransomware threat right away before you try to restore the encrypted files.
How does WannaPeace ransomware proliferate?
WannaPeace ransomware is disguising as Adobe Reader XI to trick users into thinking that this is a legitimate process. During its attack, WannaPeace ransomware, while it tries to encrypt data on the infected device, it will open an Adobe Reader XI window pretending to be a legitimate process. Security experts from A virus.hu reported that WannaPeace ransomware exploits unsecured and unprotected Remote Desktop Protocol or RDP configuration and also uses fake installers and fake software updates as well as malicious spam email campaigns in spreading its malicious executable file.
You must not delay the removal of WannaPeace ransomware. To delete it, make use of the removal instructions provided below as well as the recovery option for your encrypted files.
Step1. Close the window for Adobe Reader XI.
Step2. You have to end WannaPeace ransomware’s process first by opening the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step3. Under the Task Manager, go to the Processes tab and look for the process named Adobe Reader XI and any other suspicious-looking process which takes up most of your CPU’s resources and is most likely related to WannaPeace ransomware.
Step4. After that, close the Task Manager.
Step5. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step6. Under the list of installed programs, look for WannaPeace ransomware or anything similar and then uninstall it.
Step7. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step8. Navigate to the following locations below and look for WannaPeace ransomware’s malicious components such as RzW.exe and delete drivers.txt as well as other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %PROGRAMFILES%
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step9. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step10. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step11. Navigate to the following paths and look for registry keys and sub-keys created by WannaPeace ransomware:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step12. Delete the registry keys and sub-keys created by WannaPeace ransomware.
Step13. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if WannaPeace ransomware hasn’t deleted the shadow volume copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that WannaPeace ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.