Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jul 2019

How to remove WannaLocker ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

WannaLocker – a combination of spyware, RAT, and banking Trojan that pretends to be a mobile version of WannaCry

WannaLocker ransomware virus

WannaLocker is an imposter of the WannaCry ransomware. Recently this cyber threat has been targetting Android users in China. However, malware might expand its target field and aim at computer users all over the world. WannaLocker ransomware virus spreads as a plugin for the popular Chinese game in gaming forums. On the affected device, ransomware replaces the wallpaper to the anime image. Then it encrypts targeted files with AES encryption[1] and appends a unique file extension which is the string of random symbols. Once all files are encrypted, the malware runs a ransom-demanding window that looks similar to WannaCry’s. It provides information about encrypted data and possibilities to recover them in the Chinese language.

Name WannaLocker
Type Ransomware
Other modules Spyware, RAT, banking Trojan
Imitation of WannaCry
target Chinese speakers
Encryption AES cipher is used for locking files
Distribution Malicious links, third-party app stores
Detection Use tools such as FortectIntego to detect the malware
Removal Automatical elimination is the only possibility for this case

WannaLocker ransomware asks to pay 40 Chinese Renminbi and contact them as soon as the transaction is made. They will provide the necessary decryption key and sets corrupted files free. Meanwhile, two timers in the ransom note show how much time has left until the size of the ransom doubles and when users lose their records entirely.

However, instead of following these instructions and rushing to make the payment, victims should focus on WannaLocker removal. It’s crucial to delete malware from the smartphone or tablet in order to use it normally again. To complete this task, we recommend installing a mobile version of FortectIntego and running a full system scan.

WannaLocker is designed to encrypt files on the external storage of the affected device. This unique technique has been used by another mobile ransomware – SimpLocker.[2] What is more, malware is designed to encrypt only those files that do not start with a “.” Meanwhile, files that are located in DCMI, download, miad, android and com. directories are not in the target field of the ransomware as well.

It also does not encrypt files that are bigger than 10 KB. Currently, there’s no decryption software that could restore files encrypted by WannaLocker ransomware. However, if you back up your files, you can recover your files from them. But before that, you need to remove WannaLocker from the device. Plugging in your smartphone to the computer or accessing Cloud storage might lead to encrypted files in these locations.

WannaLocker ransomware

It seems that developers of WannaLocker Android are amateurs or want to be found and arrested for cyber crimes. Cybercriminals do not ask to transfer the ransom in Bitcoins. Using alternative currency is popular among hackers because in this way the money flow cannot be tracked and criminals cannot be found.

But this time crooks asks to transfer the money using QQ, Alipay, and WeChat that are popular payment methods in China. Besides, it’s quite easy to track money flow and find people standing behind this cyber threat. In order to make the payment simpler, cybercriminals also provided two QR codes.

All these conveniences and small ransom (around 5-6 USD) should not motivate you to follow hackers’ rules. They may not have decryption software or ask for more money. Even a small amount of money is a motivation for cybercriminals to develop new or improve current cyber threats. Thus, do not sponsor them and just remove WannaLocker from the device.

WannaLocker Android targetting four banks in Brazil

WannaLocker virus

Recently the well-known security company Avast released a report about WannaLocker targetting banks in Brazil. According to this news source,[3] the malware has attacked four different banks by releasing all three of its modules which are spyware-related, banking Trojan-related, and RAT-related.

According to security researchers, WannaLocker might be capable of gathering various sensitive and important details from the infected device. This type of information could remain to mobile phone numbers, contact list, received messages, and even credential details that can be misused in money theft later on.

Even though it is yet unknown how WannaLocker enters targeted Android devices, researchers speculate that this malware might be capable of finding its way through third-party store applications or malicious hyperlinks. However, malware injection through links is a very common occurrence throughout the Internet sphere and can happen at any time.

Malware spreads as a plugin for King of Glory game

This mobile ransomware has been spotted spreading in Chinese game forums. It is presented as a plugin for the King of Glory (王者荣耀) – a very popular game in China. The malicious file is named as “com.android.tencent.zdevs.bah.” Then users are misled and download this file, WannaLocker enters the device and starts its hazardous task.

However, cybercriminals might be using (or at least planning to use) other ransomware distribution channels. Thus, you should be aware that malware might be distributed using malicious spam emails, malvertising, exploit kits, fake updates, bogus software downloads, etc. According to Virusai.lt,[4] these are the most popular methods used by cybercriminals. Thus, you should take all precautions[5] and backup files stored on the mobile phone and computer.

Removal of the WannaLocker ransomware virus

The only safe way to remove WannaLocker from the Android phone or tablet is to install a mobile-friendly antivirus program and scan the system with the help of it. We recommend using FortectIntego or SpyHunterCombo Cleaner. This software will detect all malicious entries, processes, and files which need to be eliminated in order to permanently get rid of the cyber threat.

WannaLocker removal is a process you should take seriously and not risk damaging your system by completing it manually. Using trustworthy tools for virus deletion is the only safe choice you have. After you take care of the malware and no malicious objects remain in your system, look down for some data recovery solutions. 

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.