Severity scale:  
  (100/100)

WannaCry ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

While WannaCry continues infecting systems, legitimate decryption tools show up

WannaCry is a ransomware-type program that uses EternalBlue exploit[1] to infect computers running Microsoft Windows operating system. The ransomware is also known as WannaCrypt0r, and Wana Decrypt0r, and there is a WannaCry 2.0 available already. Once it gets into a target computer, it rapidly encrypts all files and marks them with one of the following file extensions: .wcry, .wncryt and .wncry. The virus renders data useless using a strong cipher, changes desktop wallpaper, creates a ransom note called @Please_Read_Me@.txt (older versions drop Please Read Me!.txt file) and then launches a program window called “Wanna Decrypt0r” that states files on the computer have been encrypted. The malicious program urges the victim to pay a ransom ranging from $300 to $600 in Bitcoins and promises to delete all files if the victim fails to pay up in 7 days. Wannacry eliminates Volume Shadow Copies to prevent the victim from restoring encrypted data. On top of that, the ransomware acts like a worm[2] because as soon as it gets into the target PC, it starts looking for other computers to infect. It uses a security loophole in Windows OS and rapidly spreads using file sharing tools (such as Dropbox or shared drives) without asking for victim’s permission to do so. Therefore, if you have been subjected to the cyber attack, you must remove WannaCry as soon as you can to stop it from spreading further. Despite that the virus promises to restore your files after you pay, there is no reason to rely on criminals’ claims. There are several decrypters, Wannakey and Wanakiwi, presented by security experts that you can download from the Internet. At the moment, cybercriminals collected ransoms worth $80,000[3], and we hope that you will not increase this number by paying ransom to extortionists. The 2-spyware team recommends deleting the ransomware in a Safe Mode with Networking using anti-malware programs like ReimageMain facts about WannaCry ransomwareCybercriminals used this ransomware in a massive cyber-attack that was launched on Friday, 12 May 2017[4]. According to the latest reports, the malicious attack successfully affected more than 230 000 computers in over 150 countries. The impact of the cyber attack is horrific – although the virus targets organizations from across a range of sectors, healthcare seems to be suffering the most[5]. Due to the attack, various hospital services have been suspended, for instance, hundreds of surgeries have been put off. According to reports, the first big companies affected by this ransomware were Telefonica, Gas Natural and Iberdrola. Some of affected companies had data backups, while others had to face tragic consequences. Without an exception, all victims are advised to carry out WannaCry removal as soon as possible as it can help to prevent ransomware from spreading further.  

Analysis of WannaCry attack

The main WannaCry ransomware infection vector is an EternalBlue exploit, which is a cyberspying tool stolen from US National Security Agency (NSA) and published online by a hacker group known as Shadow Brokers. The EternalBlue exploit targets Windows CVE-2017-0145[6] vulnerability in Microsoft’s implementation of SMB (Server Message Block) protocol. The vulnerability is already patched, suggests Microsoft’s security bulletin MS17-010 (released on 14 May 2017). The exploit code used by perpetrators was meant to infect outdated Windows 7 and Windows Server 2008 systems, and reportedly users of Windows 10 cannot be affected by the virus. The malware typically arrives as a dropper Trojan that contains the exploit kit and the ransomware itself. 

The latest WannaCry variants are distributed via girlfriendbeautiful[.]ga/hotgirljapan.jpg?i=1 in APAC region. After gaining access to the target computer, the virus creates a folder in the C:\ProgramData and entitles it with a set of random chars. The new folder contains tasksche.exe executable file. The ransomware can also save its components into C:\Windows directory, dropping two files – mssecsvc.exe and tasksche.exe. The virus executes Icacls . /grant Everyone:F /T /C /Q command to get access to all of victim’s files. The virus is set to connect to a non-existing domain and if it fails to open, the ransomware infects the system. One of such domains was purchased by a security researcher MalwareTech, therefore viruses that used to connect to that domain failed to infect computer systems. What is more, cyber criminals attempted to DDoS that domain to continue the activity of the ransomware, however, unsuccessfully. Sadly, attackers understood their mistake and shortly released updated variants of the malware that connect to different domains, so from now on it won’t be easy to fight against this malicious program. The ransomware can affect anyone who lacks knowledge about ransomware distribution, therefore we suggest reading this Wanna Cry ransomware prevention guide that our experts prepared:

  1. Install MS17-010 system security update that Microsoft recently released. It addresses this particular vulnerability that the ransomware addresses. The updates were exceptionally released even for old OS such as Windows XP or Windows 2003.
  2. Keep the rest of computer programs up-to-date.
  3. Install a reputable anti-malware software to defend your computer against illegal attempts to infect your computer with malicious programs.
  4. Never open emails that come from strangers or companies that you have no business with.
  5. Disable SMBv1 using instructions provided by Microsoft. If these instructions seem confusing, try the method provided in the next step.
  6. Apply a quick fix – install WannaSmile tool, which was developed by a developer Hrishikesh Barman. This tool automatically disables SMB, edits host file to add Google’s IP to the “kill-switch” (online fix) and creates a lightweight local web server and add localhost to “kill-switch” (offline fix).
  7. Look for more tips in this guide on how to survive WannaCry attack.

Versions of WannaCry

.wcry file extension virus. It is believed to be the first version of the infamous ransomware. It was first spotted at the beginning of February 2017, and at first, this virus did not seem like one that could surpass the most prevalent viruses like Cryptolocker, CryptXXX or Cerber. The virus uses AES-128 cryptography cipher to lock files securely, adds .wcry file extensions to their filenames and asks to transfer 0.1 Bitcoin to a provided virtual wallet. The malware was initially distributed via email spam; however, this particular virus did not bring a lot of income for its developers. Although files encrypted by this ransomware appeared to be unrecoverable without having the decryption key, developers of it decided to upgrade the malicious program.

.WNCRY file extension virus. The ransomware version that belongs to the described malware category emerged in 2017 and has been entitled due to its ability to append .wncry file extension to every encrypted file. You can use a free decryption tool that will restore files marked with these file extensions for you. The ransomware is currently under analysis, so victims are advised to remove the ransomware and keep the encrypted data because, in the future, researchers might find a way to restore corrupted files. Just like the rest of the crypto-ransomware family members, virus demands a ransom in Bitcoins that’s worth $300-$600.

WCrypt ransomware virus WCrypt virus is an alternative name to the main ransomware. The ransomware has devastated files all over the globe, and new versions keep showing up. Researchers have noticed that certain variants of this ransomware append .wcryt or .wncrypt extension to files, which gives an idea where the alternative name of the ransomware comes from. If your antivirus detects an infection called WCrypt, eliminate such virus and everything related to it ASAP!

WannaCryptor ransomware virus. WannaCryptor is also an alternative name of the ransomware, which is used by several anti-spyware and antivirus programs. If your security software blocked Trojan.Ransom.WannaCryptor.H, you should know that the infamous ransomware has just attempted to step into your system. If it succeeded to do so, it would have encrypted all of your files and asked for $300-$600 as a ransom. This name is used according to Wanna Decryptor 1.0, which the malware opens after encrypting all files. Victims reported that this ransomware adds .wcry file extensions to corrupted records.

WanaCrypt0r ransomware virus. It is yet another name for the updated version of the ransomware. The new version chooses Windows vulnerabilities as its primary attack vector and encrypts all files stored on the system in seconds. Affected files can be recognized from extensions added to the filename right after the original file extension – .wncry, wncryt, or .wcry. There is no way to restore corrupted data without having a backup or the private key created during the data encryption process. The virus typically demands $300, although it raises the ransom price to $600 if the victim fails to pay up within three days.

WanaCrypt0r 2.0 ransomware virus. It is the name of an updated WannaCryptor variant, which launches Wana Decrypt0r 2.0 after encrypting user’s files. This malicious program was used to attack computer users worldwide during the cyber attack launched on May 12, 2017. According to the latest reports, the total of ransoms paid to Bitcoin wallets that belong to cyber criminals reached $60,000 already. The virus appends .WNCRY file extensions to encrypted files drops a ransom note called @Please_Read_Me@.txt. At the moment, malware researchers cannot provide any tools that could restore data that this malicious program corrupts.

Wana Decrypt0r ransomware virus. This is the program that the virus launches after a successful infiltration to the target system. The researchers already noticed Wanna Decryptor 1.0 and Wanna Decryptor 2.0 versions approaching victims. The malicious software displays a countdown clock showing how much time has left to pay the ransom until the price of it skyrockets, and also identical countdown clock that shows how much time has left until the virus deletes all data from the computer. This particular version shook the virtual community on 12 May 2017, although several days later it was stopped by a security researcher who goes by the name of MalwareTech.

Wana Decrypt0r 2.0 ransomware virus. This program has shocked hundreds of thousands of computer users worldwide because in May 2017 it managed to infect over 230k computers in more than 150 countries. The appearance of this program window indicates that the ransomware has already encrypted all of your files, so closing it won’t save your data. This version of ransomware demands between 0.171 to 0.34 BTC to restore victim’s files. The described malware variant was analyzed and researchers discovered how it infects the system. Before attacking the files stored on the target computer, the program connects to a non-existing domain, and if it fails to connect, the encryption procedure starts. One security researcher discovered such ransomware kill switch and registered the domain, making the ransomware useless. However, since then, the virus has been updated.

WannaCry 2.0 ransomware virus. Since all the news sites rushed to post about the kill switch discovered by the malware researcher, authors of the ransomware pushed out a new ransomware version that evades the kill switch[7]. Luckily, the infection rate has slowed down, and although the ransomware is active, it still means something. It is believed that the second version is not developed by original WannaCry authors, which simply shows that criminals only need to modify the code a little to start attacking users again. According to reports, the malicious virus spreads via fake Excel documents, so if a stranger sends you one via email, do not open it!

DarkoderCrypt0r ransomware virus. DarkoderCrypt0r virus is an imitation of the powerful ransomware that has recently hit the virtual community. It adds .DARKCRY extensions to corrupted files and launches a program that looks almost identically as Wana Decrypt0r 2.0. Instead of displaying a countdown clock that shows how much time the victim has to pay the ransom until the ransom doubles, the virus displays “3 days.” It asks for the same sum of money as the real virus. This version does not have worm-like features, therefore it doesn’t spread the same way as the original virus.

How to remove WannaCry and restore encrypted files?

You should only rely on professional ways to remove WannaCry virus and not try to uninstall this malicious program manually. The virus is extremely dangerous and it uses sophisticated measures to spread through the entire computer system and also infect connected computers and smart devices. The sooner you will disable this virus, the better, so do not waste any more time. If you have a data backup, do not rush to plug it into the compromised computer, or data copies will be encrypted as well. For best results, we suggest you follow these WannaCry removal guidelines provided by 2-Spyware team.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove WannaCry ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall WannaCry ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing WannaCry ransomware virus (2017-05-19)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing WannaCry ransomware virus (2017-05-19)
Hitman Pro
We have tested Hitman Pro's efficiency in removing WannaCry ransomware virus (2017-05-19)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing WannaCry ransomware virus (2017-05-19)

Manual WannaCry virus Removal Guide:

Remove WannaCry using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

To delete WannaCry virus with Safe Mode, follow each of provided steps attentively and make sure you boot your PC into the right mode. This way, you will disable the virus and create the right environment for the launch of malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove WannaCry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete WannaCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove WannaCry using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

To eliminate the malicious program with System Restore, we highly suggest using steps that are given below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of WannaCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that WannaCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove WannaCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Unless you are willing to waste from $300 to $600 or have a data backup, there is no way to restore files encrypted by this fearsome virus. The malware analysts have been working hard and have already presented legitimate decryption tools. In addition, you can also try the following WannaCry data recovery options:

If your files are encrypted by WannaCry, you can use several methods to restore them:

Install and run Data Recovery Pro

Data Recovery Pro might be the right tool if you want to restore part of encrypted files. Here’s how to use it.

Search for Volume Shadow Copies

Sometimes even the most sophisticated viruses can fail to complete all of malicious tasks, therefore if you are lucky enough, the virus might leave Volume Shadow Copies in the system. To find them and use them for data recovery, install ShadowExplorer software.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try WannaCry decryption tools presented from GitHUb

If you didn’t reboot your computer after infiltration of WannaCry, you can try Wannakey decrypter. If you have already reboot your machine, make sure you download WanaKiwi which is compatible with Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from WannaCry and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

References

Removal guides in other languages