Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2017

How to remove Why-Cry ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

Why-Cry: another WannaCry imitator terrifies victims

The picture showing Why-Cry ransom note

Why-Cry virus is another ransomware borrowing the name from the infamous ransomware. Though since the attack of the original crypto-malware, WannaCry, there have been already multiple copies, this one seems to be quite persistent. It happens to be the successor of another crypto-malware, WhyCry, which emerged two months ago. Cyber experts have noticed two versions roaming on the Web: TPS 1.0 and TPS 2.0 versions.

According to VirusTotal service[1], the malware is detectable as MSIL/Filecoder.A!tr, Ransom.WhyCry, Win32/Trojan.825, etc. It seems to execute its comments via Why-Cry ransomware.exe.

Thus, it is possible to detect it on the Task Manager and end the command. However, it will hardly cease the very threat. Additionally, this malware reboots the system in order to encrypt files. After that, it displays the message warning not to turn off the computer.

Later on, it asks to create a Bitcoin wallet and transfer the amount worth $300 to a specific address. Since you are dealing with a file-encrypting threat, paying the ransom does not increase the chances of data recovery. Thus, it would be better to initiate Why-Cry removal. FortectIntego or MalwarebytesMalwarebytes will be of assistance of countering the malware.

Other versions of the malware

TPS 1.0 ransomware. Its operation mode resembles the original Petya[2] as it requires rebooting the system. According to the ransom note, the perpetrator seems to be a non-native English speaker. It asks to purchase the bitcoins and transfer to the Bitcoin address. In smaller font, it warns several times not to turn off the device. No reports about data recovery after the payment are recorded. 

TPS 2.0 virus displays almost identical ransom note expert that this time it introduces itself as Why-Cry. Though it also targets exclusively Windows systems, it does not seem to be so elaborate as the original WannaCry as it needs to reboot the system to encode files.

Unlike other threats, the virus does not offer to purchase any Why-Cry Decrypter but instead remit the payment to get a decryption code. Luckily, IT experts have found a key combination to decrypt the files – YANGTGTDKYFWSBDAUWPMFNHBUGPFUCKY.[3] Make a rush to remove TPS 2.0/Why-Cry.

Distribution peculiarities

This particular malware spreads the same way as other threats. It lurks for unsuspecting users in torrent sharing domains. It might also hide in abandoned software and links promoted in the domains overcrowded with ads and links to gaming or even more fishy sites.

You should not forget another popular ransomware distribution method – spam emails. Though it is more popular among Locky, which now spreads as Diablo6 and Lukitus malware, and Cerber, you should not exclude the possibility that this malware might also deviate to this option. In order to ward off ransomware trojans and exploit kits, update malware elimination tools.The image displaying Why-Cry trojan alternative names

Why-Cry elimination steps

If this malware has corrupted the device there is no need to send the money to perpetrators. Start Why-Cry removal by launching an anti-spyware tool. In case, your computer the lock-screen of the malware, restart the system in Safe Mode. More information is displayed below.

After you remove TPS 2.0/Why-Cry virus, you can decode the files. After that, it is recommended to scan the device again. This malware is likely to be distributed in Europe, so not only British users, but, for instance, Croatian[4] users should be cautious of the malware.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.