What is WannaCash ransomware? And how does it implement its attack?
WannaCash ransomware is a newly discovered crypto-virus that seems to target Russian-speaking users. This crypto-malware is designed to use the AES 256 cryptography in encrypting data. It demands 4999 Rubbles from its victims to be paid via Yandex, one of the biggest electronic payment platforms in Russia.
Once it infiltrates a computer, it drops several malicious files in the system such as lock.exe, keys.exe, key.txt, Decrypts files.txt and chrome.zip. These files are placed on system folders, each one functions and have one goal of helping WannaCash ransomware in implementing its attack. It also modifies some entries in the Windows Registry which are most likely the RunOnce keys in order to run automatically every time victims start their PCs. After all these modifications, it looks for files with specific formats to encrypt and as mentioned, it applies the AES 256 cipher to make its targeted files inaccessible. Once the encryption is done, it opens a ransom note which contains a lengthy message written in Russian that states:
“WannaCash
Система
ЯД кошелек [410017171730353] | Сумма: 4999
——
Работа Windows 7 Home Basic приостановленна
Запрещен доступ ко всем файлам и дискам. Отключены горячие клавиши и рабочий стол.
Все размещенные файлы на дисках следующих расширений были зашифрованы симметричным алгоритмом блочного шифрования AES 256bit
.doc .docx .xls .xlsx .xlst .ppt .pptx .rtf .pub .pps .ppsm .pot .pages .indd .odt .ods .pdf .zip .rar .7z .jpg .png .mp4 .mov .avi .mpeg .flv .psd .psb
Блокировка не окончательна, может быть снята.
Примечание:
Восстановление, переустановка windows ни к чему не приведет. При попытке удалить или нарушить работу программы вы рискуете остаться с поврежденными файлами.
——
Файлы
ЯД кошелек [410017171730353] | Сумма: 4999
—
C:\Program Files\Bandizip\data\EULA.rtf
C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\Green8ubbles.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg
C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg
C:\Program Files\DVD Maker\Shared\DissolveAnother.png
C:\Program Files\DVD Maker\Shared\DissolveNoise.png
C:\Program Files\Google\Chrome\Application\68.0.3440.75\Installer\chrome.7z
C:\Program Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logo.png
C:\Program Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logobeta.png
C:\Program Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logobetalight.png
C:\Program Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logocanary.png
C:\Program
Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logocanarylight.png
C:\Program Files\Google\Chrome\Application\68.0.3440.75\VisualElements\logodev.png
***
——
Разблокировка
ЯД кошелек [410017171730353] | Сумма: 4999
—
Мы гарантируем, что вы сможете безопасно и легко восстановить все свои файлы, а так же вернуть прежние состояние системы.
- Переведите указанную сумму на Яндекс кошелек. Выберите наличный или безналичный расчет.
- После успешного перевода нажмите на кнопку “я оплатил’а”, для проверки зачисления средств. При положительном результате система будет разблокирована в автоматическом режиме.
Но у нас не так много времени. Каждые 10 минут в случайном порядке будут безвозвратно удаляться защифрованые файлы.
Оплата:
[онлайн] [наличными] Разблокировка:
[я оплатил’а]”
If you are one of the victims of WannaCash ransomware, you must not, under any circumstances, pay the ransom for you will only end up losing money for nothing. The best thing you can do for now is to obliterate this crypto-malware from your computer and wait until security experts are able to come up with a decryptor to recover the files encrypted by WannaCash ransomware.
How does WannaCash ransomware proliferate?
WannaCash ransomware proliferates using several methods but it mostly uses spam emails. Creators of this threat attach the malicious payload and send them to random users. The malicious payload may be a document with macro scripts or an executable file that if opened, will execute some command in order to install WannaCash ransomware in the targeted computer. Thus, it is important to double check emails before opening them or their attached files.
Follow the removal instructions prepared below to obliterate WannaCash ransomware from your PC.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for any suspicious-looking processes that could be related to WannaCash ransomware and then end their processes.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for suspicious programs that could be related to WannaCash ransomware and then uninstall them.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by WannaCash ransomware such as lock.exe, keys.exe, key.txt, Decrypt files.txt and chrome.zip and make sure to delete them all.
- %APPDATA%
- %TEMP%
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by WannaCash ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 14: Delete the registry keys and sub-keys created by WannaCash ransomware.
Step 15: Close the Registry Editor and empty the contents of the Recycle Bin.
To ensure the removal of WannaCash ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.