Severity scale:  

Remove WannaCry ransomware / virus (Virus Removal Instructions) - Oct 2020 update

removal by Olivia Morelli - - | Type: Ransomware

WannaCry ransomware is a global cyber threat that is active again after two years of silence

WannaCry ransomware demands ransomWannaCry ransomware virus is a dangerous cyber threat which aims to encode data on the system.

WannaCry is the notorious ransomware virus that crippled more than 200,000 computers around the world back in 2017 and caused millions of dollars of damages o multiple organizations and governmental institutions. People believed that the virus was crippled finally when researchers announced patches, but recent activities revealed that it was damaging but not deathly for the cryptovirus.

Malware uses EternalBlue exploit[1] that was leaked by Shadow Brokers, the hacker group which published a series of leaks that disclosed secret hacking tools used by the NSA. WannaCry was eventually tied to the North-Korean Lazarus group that was responsible for the cyberattack on Sony in 2014 and Bangladesh bank robbery in 2016.

Modified versions of WannaCry appear to be still affecting various users and businesses all over the world. It was crippled for a while, but up to 12 480 variants with original code, reportedly got discovered. Although the kill switch got released and infections stopped, some of those ransomware samples got updated and thousands of primary versions remain active in the wild. In August 2019, researchers detected and blocked more than 4.3 million attempts to infect computers and spread versions of WannaCry.

Questions about WannaCry ransomware virus

Windows update patches got released to defer installing WannaCry, but not everyone patched their software. The rise of this ransomware means that machines whose owners haven't patched the OS in the past two years are vulnerable to WannaCry to this day. Especially, when there are more dangerous versions that emerged in these past two months.

Name WannaCry
Alternative names WannaCrypt0r, Wana Decrypt0r
Type Ransomware
Versions .wcry file extension virus; .wncry file extension virus
Danger level High. Makes system changes, encrypts files. Malware can damage files without the possibility of decrypting them
Release date 12 May 2017
Ransom amount Demands can go up to hundreds or thousands, but there is no point in paying the ransom because virus developers are not keeping track of transfers and not sending decryption tools to anyone
Cryptography RSA encryption method
Appended file extensions .wcry, .wncryt, .wncry, can also use different file markers or none at all
Ransom note @Please_Read_Me@.txt, Please Read Me!.txt 
Targeted OS Windows. Recent reports show that not only the newer devices get affected, since Windows 7, Windows XP also get targeted
Distribution methods EternalBlue exploit kit and DoublePulsar backdoor and other Windows OS vulnerabilities get used to obtaining access to particular systems and spread WannaCry ransomware further
To uninstall WannaCry, install Reimage Reimage Cleaner Intego and run a full system scan

WannaCry ransomware encrypts data on the victimized computer using RSA algorithm and appends .wncry, .wncryt, or .wcry extensions at the end of the corrupted file-names. Victims are asked to pay $300 for the decryptor, which later doubles if the amount is not paid within three days. While WannaCry is considered to be an old threat and Windows patched the vulnerability back in May 2017, the malware is still active with 74,621 infections in Q3 2018, as shows the research conducted by Kaspersky Labs researchers.[2]

As evident, WannaCry is not going away, despite its initial outbreak being over for a while now. Since its first infection, the malware has hit 4,826,682 computers worldwide and counting.[3] At the time of the writing, there are around 1.7 million vulnerable machines connected to the internet what could be victimized by WannaCry malware.

WannaCry ransomware emerged on Friday, 12 May 2017[4]. The dangerous virus, which is alternatively known as WannaCrypt0r, and Wana Decrypt0r, affected more than 230 000 computers in over 150 countries within a few days.[5] However, cyber attacks continue in 2018. In March, ransomware hit the world's largest aerospace company Boeing and keeps doing the same.

The success of the attack hides in the distribution technique that aimed at outdated and unpatched Windows computers. Wanna Cry virus took advantage of EternalBlue exploit kit and hit various companies and organizations. However, the healthcare sector suffered the most[6].

WannaCry ransomware wallpaperAfter WannaCry infection, the settings on victimized computer are changed. Thus, users see the above shown wallpaper.

According to reports, the first big companies affected by this ransomware were Telefonica, Gas Natural and Iberdrola. Some of the victims had data backups, while others had to face tragic consequences. Without exception, all victims are advised to carry out WannaCry removal as soon as possible as it can help to prevent ransomware from spreading further.  

Ransomware acts like a worm[7] because, as soon as it gets into the target PC, it starts looking for other computers to infect. It uses a security loophole in Windows OS and rapidly spreads using file sharing tools (such as Dropbox or shared drives) without asking for victim’s permission to do so.

There are three elements installed:

  • Encryption/decryption tool;
  • Tor browser;
  • Files storing encryption keys.

WannaCry ransom noteShowing the ransom note of the original WannaCry virus.

The purpose of WannaCry is to collect ransoms in Bitcoins. After data encryption, the malware displays a ransom note where victims are urged to pay a ransom ranging from $300 to $600 in Bitcoins. Hackers try to scare people into paying the money by telling that their files will be deleted if they fail to pay within 7 days deadline.

However, security specialists urge to remove WannaCry from the affected systems instead of paying the ransom. There are several decrypters, Wannakey and Wanakiwi, presented by security experts that you can download from the Internet for free. Additionally, if you have backups, you can recover data after cleaning the device with Reimage Reimage Cleaner Intego or another malware removal software. 

Ways WannaCry infects systems

Even though there are multiple ways how WannaCry virus can enter your system, the most widely used one is targeting Windows CVE-2017-0145[8] vulnerability in Server Message Block (SMB) protocol. An infamous Shadow Brokers hacker group has stolen EternalBlue exploit kit which was designed by US National Security Agency (NSA) and published it online. 

Main facts about WannaCry ransomwareIntroducing key facts about WannaCry ransomware virus.

The vulnerability is already patched, suggests Microsoft’s security bulletin MS17-010 (released on 14 May 2017). The exploit code used by perpetrators was meant to infect outdated Windows 7 and Windows Server 2008 systems, and reportedly users of Windows 10 cannot be affected by the virus. The malware typically arrives as a dropper Trojan that contains the exploit kit and the ransomware itself. 

However, experts still recommend users to be extremely cautious. In fact, people are advised to take precautionary measures as downloading and running CrowdStrike Falcon — antivirus which offers endpoint protection and incorporates behavioural analysis to detect indicators of attack (IOAs).

Furthermore, the latest WannaCry variants are distributed via girlfriendbeautiful[.]ga/hotgirljapan.jpg?i=1 in APAC region. After gaining access to the target computer, the virus creates a folder in the C:\ProgramData and entitles it with a set of random chars. The new folder contains tasksche.exe executable file.

The ransomware can also save its components into C:\Windows directory, dropping two files – mssecsvc.exe and tasksche.exe. The virus executes Icacls . /grant Everyone:F /T /C /Q command to get access to all of victim's files. The virus is set to connect to a non-existing domain and if it fails to open, the ransomware infects the system. One of such domains was purchased by a security researcher MalwareTech, therefore viruses that used to connect to that domain failed to infect computer systems.

What is more, cybercriminals attempted to DDoS that domain to continue the activity of the ransomware, however, unsuccessfully. Sadly, attackers understood their mistake and shortly released updated variants of the malware that connect to different domains, so from now on it won't be easy to fight against this malicious program.

WannaCry ransomwareResearcher demonstrates screenshots taken during WannaCry attack. You can see the Wanna Decrypt0r window as well as image that WannaCry sets as default desktop wallpaper after infecting the system and encrypting all files on it.

The ransomware can affect anyone who lacks knowledge about ransomware distribution, therefore we suggest reading this Wanna Cry ransomware prevention guide that our experts prepared:

  1. Install MS17-010 system security update that Microsoft recently released. It addresses this particular vulnerability that the ransomware addresses. The updates were exceptionally released even for old OS such as Windows XP or Windows 2003.
  2. Keep the rest of computer programs up-to-date.
  3. Install a reputable anti-malware software to defend your computer against illegal attempts to infect your computer with malicious programs.
  4. Never open emails that come from strangers or companies that you have no business with.
  5. Disable SMBv1 using instructions provided by Microsoft. If these instructions seem confusing, try the method provided in the next step.
  6. Apply a quick fix – install WannaSmile tool, which was developed by a developer Hrishikesh Barman. This tool automatically disables SMB, edits host file to add Google's IP to the “kill-switch” (online fix) and creates a lightweight local web server and add localhost to “kill-switch” (offline fix).
  7. Look for more tips in this guide on how to survive WannaCry attack.

May 2019 update: the state of WannaCry two years on

Possibly one of the main reasons why WannaCry became one of the most prolific threats of the decade was due to its ability to spread over the network to all the other unpatched computers by abusing the EternalBlue exploit.

After a significant amount of struggles that rail stations, hospitals, and other vital sectors had to go through, the kill switch was activated by a security researcher Marcus Hutchins (also known as MalwareTech), who was later charged with the unrelated cyber crimes.

After the kill-switch was activated, the amount of WannaCry infections went down by a significant margin. Nevertheless, according to Microsoft researcher Nate Warfield,[9] there are still around 1.7 million machines that are vulnerable to EternalBlue SMB exploit, and that is not counting the devices that could be connected to these via the servers.

Since its initial outbreak, WannaCry hit 4.8 million machines worldwide, with the top countries hit being:

WannaCry infections by country since its initial launch
India 727,883
Indonesia 561,381
USA 430,643
Russia  356,146
Malaysia 335,814

Many security researchers are voicing their disappointment about the situation, as the threat can be easily avoided by merely patching the vulnerable systems. Unfortunately, cybesecurity is mostly overlooked until it manages to cause a significant amount of damage.

November 2018 update: the virus is still active in Q3 2018

Security experts from Kaspersky Lab published a report detailing a global threat actor activity. They noted that the total amount of blocked threats in Q3 2018 was 947,027,517 across 203 countries. While ransomware attacks were considered to be in decline this year, a total amount of infections grew from 186,283 to 259,867 in a year, which indicates the overall growth of file-locking malware.[10]

According to research, the overall infections of WannaCry increased by 2/3 in comparison to the same period in 2017. They were especially concerned about the WannaCry virus prevalence, accounting for a total of 28% of all infections:

It is concerning to see that WannaCry attacks have grown by almost two thirds compared to the third quarter of last year. This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting. Cyber-attacks of this type can be so severe that it’s necessary for companies to take adequate preventive measures before a cyber-criminal acts – rather than focus on recovery

It once again proves that, although the EternalBlue was patched over a year ago, users and organizations still tend not to patch their systems on time, resulting in thousands in recovery costs. Researchers push users to invest in preventing the attack rather than dealing with its consequences.

September 2019: versions of WannaCry contain bypass for the kill switch

Sophos researchers revealed in their new report that, WannCry is not dead. Also, it is more alive than ever because the kill switch that got many people to believe the end of this ransomware can be bypassed. Analyzing the recent activity of WannaCry, researchers discovered how many people the threat got affected;

  • At least 12 000 WannaCry variants found in the wild. Even two years after the supposed killing of the virus.
  • More than 5 000 attempts of attacks against unpatched devices got blocked. This is only in the last three months of 2018.
  • Most of the computers targeted run Windows 7 without needed patches. So Windows XP is not forgotten.
  • The original non-updated version was sent only 40 times.
  • Paying the ransom is suggested but gives no results. Some of the victims have paid, but criminals aren't monitoring those payments and decryption tools or keys are not provided.

WannaCry virus still prevalentDespite Microsoft patching the EternalBlue vulnerability back in 2017, it is evident that hackers still have millions of users to target, as they are not using the most recent software updates.

March 2018 Update: WannaCry ransomware has infected the servers of Boeing

On March 28, experts had reported about the recent WannaCry ransomware attack. Apparently, Mike Vanderwelm, chief engineer at Boeing detected a cyber threat on the company's servers.

Cybersecurity researchers thought that the ransomware will deteriorate the firm's production and even software. Luckily, it hasn't caused that much damage as everyone has expected[11]. Later on, the head of Boeing communications ensured that malware affected only a few devices. However, the problem is under control, and no issues were detected on production lines.

November 2017 Update: imposters aim to infect computers in Russia and Portugal

In November, Russian-speaking users reported being hit by a fake Wanna Cry versions which is called WannaDie. Some people also recognized it by WanaDie name and .wndie extension at the end of the compromised filenames. Even though it does demand to pay the ransom in order to receive Wanna Die Decrypt0r, experts report that it does not encode information on the infected computers.

The same situation is with a fake Portuguese WannaCry variant.[12] This malicious program also is unable to decrypt files yet. However, it is ready to start swindling 0.0060 Bitcoins from threatened computer users. But affected files can be recovered by using the 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2 unlock key.

WannaCry imposter called WannaDieWannaDie is another fake WannaCry variant which tries to impersonate the original cyber threat.

Both fake WannaCry variants use a similar design of the ransom note as the original variant. Victims are also asked to pay the ransom within 3 days; otherwise, the size of the ransom will increase, and after 7 days, the decryption key will be destroyed.

However, if these variants would ever start encrypting files, paying the ransom should not be considered. It is most likely to lead to money loss.

August 2017 Update: South Korean self-service kiosks are under WannaCry attack

WannaCry ransomware has appeared on LG self-service kiosks[13] in South Korea on Wednesday. Users reported that they have received the ransom note[14] on the computers. However, despite the fact that the message looks extremely similar to the original one, further analysis is required to assure that this is WannaCry ransomware.

The original malware succeeded in wreaking global chaos since multiple companies worldwide failed to update their  Windows operating system. Specifically, the malware targetted weak SMB protocols in Windows 7 version. South Korea was also one of the most affected countries. Thus, LG company failed to update their kiosk systems raised a surprise if not suspicions.

FBI arrested MalwareTech guy for developing and selling malware

MalwareTech is the online name of Marcus Hutchins, who has managed to temporarily stop WannaCry ransomware distribution. Once the researcher has detected the bogus domain and registered it, the global file-encrypting virus spread has significantly slowed down for some time.

However, on the 2nd of August, it was reported that FBI arrested 24-year old, UK-based malware researcher.[15] The US authorities pressed the charges for creating and selling a banking Trojan Kronos.

According to the official document,[16] Hutchins created the virus in July 2014 and later tried to sell it for $3,300. At the beginning of 2015, he has updated Kronos malware and advertised in dark web forums. Finally, he is suspected of selling the malicious program for about $2,000.

Hackers behind the ransomware generated $143 000 from the attacks

Event though WannaCry ransomware is one of the most dangerous ones, only 338 victims have been convinced to pay the ransom for the decryption software[14]. It seems that the developers of the malicious program should improve their social engineering tactics to make more profit.

On August 3, it was noticed that collected ransoms were drained from three Bitcoin wallets used by cyber criminals. The virtual currency has been transferred to nine other Bitcoin accounts.[17] However, it’s not clear the money has been sent and what purposes hackers have.

There’s no doubt that these transactions are being monitored. Europol and the U.S. Department o Justice are working on this cyber attack. However, any official statements haven’t been released yet.

The list of WannaCry ransomware virus versions

.wcry file extension virus

.wcry file extension virusExperts categorize this version of WannaCry virus to be the first. Once it appeared in the cyberspace on February 2017, no one believed that it would become as dangerous as CryptXXX, Cerber, or CryptoLocker viruses.

The virus uses AES-128 cryptography cipher to lock files securely, adds .wcry file extensions to their filenames and asks to transfer 0.1 Bitcoin to a provided virtual wallet. The malware was initially distributed via email spam; however, this particular virus did not bring a lot of income for its developers. Although files encrypted by this ransomware appeared to be unrecoverable without having the decryption key, developers of it decided to upgrade the malicious program.

.WNCRY file extension virus

.WNCRY file extension virus. The ransomware version that belongs to the described malware category emerged in 2017 and has been entitled due to its ability to append .wncry file extension to every encrypted file. You can use a free decryption tool that will restore files marked with these file extensions for you.

The ransomware is currently under analysis, so victims are advised to remove the ransomware and keep the encrypted data because, in the future, researchers might find a way to restore corrupted files. Just like the rest of the crypto-ransomware family members, virus demands a ransom in Bitcoins that's worth $300-$600.

WCrypt ransomware

WCrypt ransomware virus.  WCrypt virus is an alternative name to the main ransomware. The ransomware has devastated files all over the globe, and new versions keep showing up.

Researchers have noticed that certain variants of this ransomware append .wcryt or .wncrypt extension to files, which gives an idea where the alternative name of the ransomware comes from. If your antivirus detects an infection called WCrypt, eliminate such virus and everything related to it ASAP!

WannaCryptor ransomware

WannaCryptor ransomware virus. WannaCryptor is also an alternative name of the ransomware, which is used by several anti-spyware and antivirus programs. If your security software blocked Trojan.Ransom.WannaCryptor.H, you should know that the infamous ransomware has just attempted to step into your system.

If it succeeded to do so, it would have encrypted all of your files and asked for $300-$600 as a ransom. This name is used according to Wanna Decryptor 1.0, which the malware opens after encrypting all files. Victims reported that this ransomware adds .wcry file extensions to corrupted records.

WanaCrypt0r ransomware

WanaCrypt0r ransomware virus. It is yet another name for the updated version of the ransomware. The new version chooses Windows vulnerabilities as its primary attack vector and encrypts all files stored on the system in seconds.

Affected files can be recognized from extensions added to the filename right after the original file extension – .wncry, wncryt, or .wcry. There is no way to restore corrupted data without having a backup or the private key created during the data encryption process. The virus typically demands $300, although it raises the ransom price to $600 if the victim fails to pay up within three days.

WanaCrypt0r 2.0

WanaCrypt0r 2.0 ransomware virus. It is the name of an updated WannaCryptor variant, which launches Wana Decrypt0r 2.0 after encrypting user's files. This malicious program was used to attack computer users worldwide during the cyber attack launched on May 12, 2017.

According to the latest reports, the total of ransoms paid to Bitcoin wallets that belong to cybercriminals reached $60,000 already. The virus appends .WNCRY file extensions to encrypted files drops a ransom note called @Please_Read_Me@.txt. At the moment, malware researchers cannot provide any tools that could restore data that this malicious program corrupts.

Wana Decrypt0r ransomware

Wana Decrypt0r ransomware virus. This is the program that the virus launches after a successful infiltration to the target system. The researchers already noticed Wanna Decryptor 1.0 and Wanna Decryptor 2.0 versions approaching victims.

The malicious software displays a countdown clock showing how much time has left to pay the ransom until the price of it skyrockets, and also identical countdown clock that shows how much time has left until the virus deletes all data from the computer. This particular version shook the virtual community on 12 May 2017, although several days later it was stopped by a security researcher who goes by the name of MalwareTech.

Wana Decrypt0r 2.0 ransomware

Wana Decrypt0r 2.0 ransomware virus. This program has shocked hundreds of thousands of computer users worldwide because in May 2017 it managed to infect over 230k computers in more than 150 countries. The appearance of this program window indicates that the ransomware has already encrypted all of your files, so closing it won't save your data. This version of ransomware demands between 0.171 to 0.34 BTC to restore victim's files.

The described malware variant was analyzed and researchers discovered how it infects the system. Before attacking the files stored on the target computer, the program connects to a non-existing domain, and if it fails to connect, the encryption procedure starts. One security researcher discovered such ransomware kill switch and registered the domain, making the ransomware useless. However, since then, the virus has been updated.

WannaCry 2.0 ransomware virus

WannaCry 2.0 ransomware virus. Since all the news sites rushed to post about the kill switch discovered by the malware researcher, authors of the ransomware pushed out a new ransomware version that evades the kill switch[18]. Luckily, the infection rate has slowed down, and although the ransomware is active, it still means something.

It is believed that the second version is not developed by original WannaCry authors, which simply shows that criminals only need to modify the code a little to start attacking users again. According to reports, the malicious virus spreads via fake Excel documents, so if a stranger sends you one via email, do not open it!

DarkoderCrypt0r ransomware

DarkoderCrypt0r ransomware virus. DarkoderCrypt0r virus is an imitation of the powerful ransomware that has recently hit the virtual community. It adds .DARKCRY extensions to corrupted files and launches a program that looks almost identically as Wana Decrypt0r 2.0.

Instead of displaying a countdown clock that shows how much time the victim has to pay the ransom until the ransom doubles, the virus displays “3 days.” It asks for the same sum of money as the real virus. This version does not have worm-like features, therefore it doesn't spread the same way as the original virus.

WannaCry imposter DarkoderCrypt0r ransomware

FakeCry ransomware

FakeCry ransomware virus. The FakeCry virus is also known as WannaCry clone virus. It is one of those viruses that recently attacked Ukraine. According to Kaspersky, some MeDoc users were infected not only with ExPetya but with another ransomware that turned out to be a fake copy of the infamous WannaDecrypt0r 2.0 virus. The difference between the fake and the original is that the clone is developed in .NET, while the real one is written in C language.

The ransomware asks for 0.1 BTC as a ransom. The ransomware, surprisingly, has a list of extensions in DEMO_EXTENSIONS. The list contains extensions of image files only, and the ransomware suggests decrypting these file types for free. To decrypt the rest of encrypted data, the virus demands ransom.

The ransomware is distributed in the same way as ExPetya/Petya and infects systems via a dropper that extracts two files on the system. The FakeCry ransomware launches graphical user interface and the encrypter. At the moment of writing this update, no decryption tools were available for this Wanna cry-lookalike.

WannaCryOnClick ransomware

WannaCryOnClick ransomware virus. In July 2017, another bogus WannaCry copy emerged. This time, it was dubbed as WannaCryOnClick ransomware because of its ability to send email messages to virus' developers as soon as the victim clicks on “Decrypt” or “Check Payment” buttons available in the ransom-demanding program.

The virus is also known as Fake Turkish WannaCry because the ransom note is written in this language. The criminals state that the victim has to pay $7000 in Bitcoin to retrieve data decryption key. However, people who fell victims to this ransomware should not waste their money because criminals most likely won't provide the decryption key even after paying the ransom.

WannaCry imposter WannaCryOnClick ransomwareWannaCryOnClick is a fake WannaCry version which tries to deliver similar ransom notes.

WannaDie ransomware

WannaDie ransomware virus. WannaDie or WanaDie pretends to be a Russian version of WannaCry. The malicious program was discovered in November 2017. The virus corrupts files with .wndie file extension and demands to pay the ransom in order to recover files with Wanna die decrypt0r. However, the virus does not employ a real encryption algorithm, so paying the ransom is not needed.

Fake Portuguese WannaCry

Fake Portuguese WannaCry. On November 2017, cybercriminals presented another imposter that targets computer users n Portugal. Cybercriminals are known for communicating with victims via email address. Even though the malicious program asks to pay 0.0060 Bitcoins for the data recovery, victims should not do that. All files can be unlocked with this code 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2. Once it’s done, malware removal with security software should be completed immediately.

.[].WannaCry files virus

September 2019 came with information about particular victims, targets and WannaCry ransomware actions, renewed attacks. Also, victims affected by a questionable .[].WannaCry ransomware that is linked with this virus and Phobos ransomware, but the particular relationship is not confirmed. 

It is possible that this version of WannaCry virus emerged and is really related to recent activities that got renewed. However, this might be a poorly coded copy. Various researchers determined that this is easily decryptable and can be copying a few versions, but the WannaCry ransomware name in the extension can be a legitimate indication. 

This threat delivers a few files with ransom demands, one of them is info.txt and another version of the payment instructions get opened as a program window directly on the screen. The amount that virus developers want to get gos up to $1500 in Bitcoins.

Delete WannaCry ransomware to retrieve altered files

If you want to get back the access to the compromised files, you must remove WannaCry virus or it will repeat the encryption process. Since the ransomware is highly sophisticated and hides its components all across the computer, only professional removal software can help you eliminate it. For that, we suggest using Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes.

The sooner you will disable this virus, the better, so do not waste any more time. If you have data backups saved in other locations, do not rush to use them. Plug your external drive or use the cloud services only when you get rid of the threat. If the computer is still compromised, your data copies can be encrypted one more time. For best results, we suggest you follow these WannaCry removal guidelines provided by 2-Spyware team.

Keep in mind that the prevention of WannaCry requires patching! Previously, the virus was Windows CVE-2017-0145 vulnerability. However, it is still unknown whether it is using the same hole and affecting unpatched users or has found yet another vulnerability to misuse for its attacks. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove WannaCry virus, follow these steps:

Remove WannaCry using Safe Mode with Networking

To delete WannaCry virus with Safe Mode, follow each of provided steps attentively and make sure you boot your PC into the right mode. This way, you will disable the virus and create the right environment for the launch of malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove WannaCry

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete WannaCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove WannaCry using System Restore

To eliminate the malicious program with System Restore, we highly suggest using steps that are given below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of WannaCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that WannaCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove WannaCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Unless you are willing to waste from $300 to $600 or have a data backup, there is no way to restore files encrypted by this fearsome virus. The malware analysts have been working hard and have already presented legitimate decryption tools. In addition, you can also try the following WannaCry data recovery options:

If your files are encrypted by WannaCry, you can use several methods to restore them:

Install and run Data Recovery Pro

Data Recovery Pro might be the right tool if you want to restore part of encrypted files. Here's how to use it.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by WannaCry ransomware;
  • Restore them.

Search for Volume Shadow Copies

Sometimes even the most sophisticated viruses can fail to complete all of the malicious tasks, therefore if you are lucky enough, the virus might leave Volume Shadow Copies in the system. To find them and use them for data recovery, install ShadowExplorer software.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try WannaCry decryption tools presented from GitHUb

If you didn't reboot your computer after infiltration of WannaCry, you can try Wannakey decrypter. If you have already reboot your machine, make sure you download WanaKiwi which is compatible with Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from WannaCry and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages

Your opinion regarding WannaCry ransomware virus