Severity scale:  
  (100/100)

WannaCry ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

WannaCry is a file-encrypting virus which is active since 2017

WannaCry ransomware demands ransom
WannaCry ransomware virus is a dangerous cyber threat which aims to encode data on the system.

Questions about WannaCry ransomware virus

WannaCry is a dangerous infection which is designed to encrypt data on the victimized computer using RSA algorithms. Usually, it can be easily recognized by .wncry, .wncryt, or .wcry extensions at the end of the corrupted file-names. Victims of Wanna Cry receive Please Read Me!.txt or @Please_Read_Me@.txt files which serve as ransom notes and opens Wanna Decrypt0r window to display key information.

Summary
Name WannaCry
Alternative names WannaCrypt0r, Wana Decrypt0r
Type Ransomware
Versions .wcry file extension virus; .wncry file extension virus
Danger level High. Makes system changes, encrypts files
Release date 12 May 2017
Cryptography RSA
Appended file extensions .wcry, .wncryt, .wncry
Ransom note @Please_Read_Me@.txt, Please Read Me!.txt 
Targeted OS Windows
Distribution methods EternalBlye exploit kit
To uninstall WannaCry, install Reimage and run a full system scan

WannaCry ransomware emerged on Friday, 12 May 2017[1]. The dangerous virus, which is alternatively known as WannaCrypt0r, and Wana Decrypt0r, affected more than 230 000 computers in over 150 countries within a few days.[2] However, cyber attacks continue in 2018. In March, ransomware hit the world's largest aerospace company Boeing.

The success of the attack hides in the distribution technique that aimed at outdated and unpatched Windows computers. Wanna Cry virus took advantage of EternalBlue exploit kit and hit various companies and organizations. However, healthcare sector suffered the most[3].

WannaCry ransomware wallpaper
After WannaCry infection, the settings on victimized computer are changed. Thus, users see the above shown wallpaper.

According to reports, the first big companies affected by this ransomware were Telefonica, Gas Natural and Iberdrola. Some of the victims had data backups, while others had to face tragic consequences. Without exception, all victims are advised to carry out WannaCry removal as soon as possible as it can help to prevent ransomware from spreading further.  

Ransomware acts like a worm[4] because as soon as it gets into the target PC, it starts looking for other computers to infect. It uses a security loophole in Windows OS and rapidly spreads using file sharing tools (such as Dropbox or shared drives) without asking for victim’s permission to do so.

WannaCry ransom note
Showing the ransom note of the original WannaCry virus.

The purpose of WannaCry is to collect ransoms in Bitcoins. After data encryption, the malware displays a ransom note where victims are urged to pay a ransom ranging from $300 to $600 in Bitcoins. Hackers try to scare people into paying the money by telling that their files will be deleted if they fail to pay within 7 days deadline.

However, security specialists urge to remove WannaCry from the affected systems instead of paying the ransom. There are several decrypters, Wannakey and Wanakiwi, presented by security experts that you can download from the Internet for free. Additionally, if you have backups, you can recover data after cleaning the device with Reimage or another malware removal software. 

Details of WannaCry attack vectors

Even though there are multiple ways how WannaCry virus can enter your system, the most widely used one is targeting Windows CVE-2017-0145[5] vulnerability in Server Message Block (SMB) protocol. An infamous Shadow Brokers hacker group has stolen EternalBlue exploit kit which was designed by US National Security Agency (NSA) and published it online. 

The vulnerability is already patched, suggests Microsoft’s security bulletin MS17-010 (released on 14 May 2017). The exploit code used by perpetrators was meant to infect outdated Windows 7 and Windows Server 2008 systems, and reportedly users of Windows 10 cannot be affected by the virus. The malware typically arrives as a dropper Trojan that contains the exploit kit and the ransomware itself. 

However, experts still recommend users to be extremely cautious. In fact, people are advised to take precautionary measures as downloading and running CrowdStrike Falcon — antivirus which offers endpoint protection and incorporates behavioural analysis to detect indicators of attack (IOAs).

Furthermore, the latest WannaCry variants are distributed via girlfriendbeautiful[.]ga/hotgirljapan.jpg?i=1 in APAC region. After gaining access to the target computer, the virus creates a folder in the C:\ProgramData and entitles it with a set of random chars. The new folder contains tasksche.exe executable file.

The ransomware can also save its components into C:\Windows directory, dropping two files – mssecsvc.exe and tasksche.exe. The virus executes Icacls . /grant Everyone:F /T /C /Q command to get access to all of victim's files. The virus is set to connect to a non-existing domain and if it fails to open, the ransomware infects the system. One of such domains was purchased by a security researcher MalwareTech, therefore viruses that used to connect to that domain failed to infect computer systems.

Main facts about WannaCry ransomware
Introducing key facts about WannaCry ransomware virus.

What is more, cyber criminals attempted to DDoS that domain to continue the activity of the ransomware, however, unsuccessfully. Sadly, attackers understood their mistake and shortly released updated variants of the malware that connect to different domains, so from now on it won't be easy to fight against this malicious program.

The ransomware can affect anyone who lacks knowledge about ransomware distribution, therefore we suggest reading this Wanna Cry ransomware prevention guide that our experts prepared:

  1. Install MS17-010 system security update that Microsoft recently released. It addresses this particular vulnerability that the ransomware addresses. The updates were exceptionally released even for old OS such as Windows XP or Windows 2003.
  2. Keep the rest of computer programs up-to-date.
  3. Install a reputable anti-malware software to defend your computer against illegal attempts to infect your computer with malicious programs.
  4. Never open emails that come from strangers or companies that you have no business with.
  5. Disable SMBv1 using instructions provided by Microsoft. If these instructions seem confusing, try the method provided in the next step.
  6. Apply a quick fix – install WannaSmile tool, which was developed by a developer Hrishikesh Barman. This tool automatically disables SMB, edits host file to add Google's IP to the “kill-switch” (online fix) and creates a lightweight local web server and add localhost to “kill-switch” (offline fix).
  7. Look for more tips in this guide on how to survive WannaCry attack.

WannaCry ransomware

March 2018 Update: WannaCry ransomware has infected the servers of an aircraft manufacturing company called Boeing

On March 28, experts had reported about the recent WannaCry ransomware attack. Apparently, Mike Vanderwelm, chief engineer at Boeing detected a cyber threat on the company's servers. Cybersecurity researchers though that the ransomware will deteriorate firm's production and even software.

Luckily, it hasn't caused that much damage as everyone has expected[6]. Later on, the head of Boeing communications ensured that malware affected only a few devices. However, the problem is under control, and no issues were detected on production lines.

November 2017 Update: WannaCry imposters aim to infect computers in Russia and Portugal

In November, Russian-speaking users reported being hit by a fake Wanna Cry versions which is called WannaDie. Some people also recognized it by WanaDie name and .wndie extension at the end of the compromised filenames. Even though it does demand to pay the ransom in order to receive Wanna Die Decrypt0r, experts report that it does not encode information on the infected computers.

The same situation is with a fake Portuguese WannaCry variant.[7] This malicious program also is unable to decrypt files yet. However, it is ready to start swindling 0.0060 Bitcoins from threatened computer users. But affected files can be recovered by using the 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2 unlock key.

WannaCry imposter called WannaDie
WannaDie is another fake WannaCry variant which tries to impersonate the original cyber threat.

Both fake WannaCry variants use a similar design of the ransom note as the original variant. Victims are also asked to pay the ransom within 3 days; otherwise, the size of the ransom will increase, and after 7 days, the decryption key will be destroyed.

However, if these variants would ever start encrypting files, paying the ransom should not be considered. It is most likely to lead to money loss.

August 2017 Update: South Korean self-service kiosks are under WannaCry attack

WannaCry ransomware has appeared on LG self-service kiosks[8] in South Korea on Wednesday. Users reported that they have received the ransom note[9] on the computers. However, despite the fact that the message looks extremely similar to the original one, further analysis is required to assure that this is WannaCry ransomware.

The original malware succeeded in wreaking global chaos since multiple companies worldwide failed to update their  Windows operating system. Specifically, the malware targetted weak SMB protocols in Windows 7 version. South Korea was also one of the most affected countries. Thus, LG company failed to update their kiosk systems raised a surprise if not suspicions.

FBI arrested MalwareTech guy for developing and selling malware

MalwareTech is the online name of Marcus Hutchins, who has managed to temporarily stop WannaCry ransomware distribution. Once the researcher has detected the bogus domain and registered it, the global file-encrypting virus spread has significantly slowed down for some time.

However, on the 2nd of August, it was reported that FBI arrested 24-year old, UK-based malware researcher.[10] The US authorities pressed the charges for creating and selling a banking Trojan Kronos.

According to the official document,[11] Hutchins created the virus in July 2014 and later tried to sell it for $3,300. At the beginning of 2015, he has updated Kronos malware and advertised in dark web forums. Finally, he is suspected of selling the malicious program for about $2,000.

Hackers behind the ransomware generated $143 000 from the attacks

Event though WannaCry ransomware is one of the most dangerous ones, only 338 victims have been convinced to pay the ransom for the decryption software[9]. It seems that the developers of the malicious program should improve their social engineering tactics to make more profit.

On August 3, it was noticed that collected ransoms were drained from three Bitcoin wallets used by cyber criminals. The virtual currency has been transferred to nine other Bitcoin accounts.[12] However, it’s not clear the money has been sent and what purposes hackers have.

There’s no doubt that these transactions are being monitored. Europol and the U.S. Department o Justice are working on this cyber attack. However, any official statements haven’t been released yet.

The list of WannaCry ransomware virus versions

.wcry file extension virusExperts categorize this version of WannaCry virus to be the first. Once it appeared in the cyberspace on February 2017, no one believed that it would become as dangerous as CryptXXX, Cerber, or CryptoLocker viruses.

The virus uses AES-128 cryptography cipher to lock files securely, adds .wcry file extensions to their filenames and asks to transfer 0.1 Bitcoin to a provided virtual wallet. The malware was initially distributed via email spam; however, this particular virus did not bring a lot of income for its developers. Although files encrypted by this ransomware appeared to be unrecoverable without having the decryption key, developers of it decided to upgrade the malicious program.

.WNCRY file extension virus. The ransomware version that belongs to the described malware category emerged in 2017 and has been entitled due to its ability to append .wncry file extension to every encrypted file. You can use a free decryption tool that will restore files marked with these file extensions for you.

The ransomware is currently under analysis, so victims are advised to remove the ransomware and keep the encrypted data because, in the future, researchers might find a way to restore corrupted files. Just like the rest of the crypto-ransomware family members, virus demands a ransom in Bitcoins that's worth $300-$600.

WCrypt ransomware virus WCrypt virus is an alternative name to the main ransomware. The ransomware has devastated files all over the globe, and new versions keep showing up.

Researchers have noticed that certain variants of this ransomware append .wcryt or .wncrypt extension to files, which gives an idea where the alternative name of the ransomware comes from. If your antivirus detects an infection called WCrypt, eliminate such virus and everything related to it ASAP!

WannaCryptor ransomware virus. WannaCryptor is also an alternative name of the ransomware, which is used by several anti-spyware and antivirus programs. If your security software blocked Trojan.Ransom.WannaCryptor.H, you should know that the infamous ransomware has just attempted to step into your system.

If it succeeded to do so, it would have encrypted all of your files and asked for $300-$600 as a ransom. This name is used according to Wanna Decryptor 1.0, which the malware opens after encrypting all files. Victims reported that this ransomware adds .wcry file extensions to corrupted records.

WanaCrypt0r ransomware virus. It is yet another name for the updated version of the ransomware. The new version chooses Windows vulnerabilities as its primary attack vector and encrypts all files stored on the system in seconds.

Affected files can be recognized from extensions added to the filename right after the original file extension – .wncry, wncryt, or .wcry. There is no way to restore corrupted data without having a backup or the private key created during the data encryption process. The virus typically demands $300, although it raises the ransom price to $600 if the victim fails to pay up within three days.

WanaCrypt0r 2.0 ransomware virus. It is the name of an updated WannaCryptor variant, which launches Wana Decrypt0r 2.0 after encrypting user's files. This malicious program was used to attack computer users worldwide during the cyber attack launched on May 12, 2017.

According to the latest reports, the total of ransoms paid to Bitcoin wallets that belong to cyber criminals reached $60,000 already. The virus appends .WNCRY file extensions to encrypted files drops a ransom note called @Please_Read_Me@.txt. At the moment, malware researchers cannot provide any tools that could restore data that this malicious program corrupts.

Wana Decrypt0r ransomware virus. This is the program that the virus launches after a successful infiltration to the target system. The researchers already noticed Wanna Decryptor 1.0 and Wanna Decryptor 2.0 versions approaching victims.

The malicious software displays a countdown clock showing how much time has left to pay the ransom until the price of it skyrockets, and also identical countdown clock that shows how much time has left until the virus deletes all data from the computer. This particular version shook the virtual community on 12 May 2017, although several days later it was stopped by a security researcher who goes by the name of MalwareTech.

Wana Decrypt0r 2.0 ransomware virus. This program has shocked hundreds of thousands of computer users worldwide because in May 2017 it managed to infect over 230k computers in more than 150 countries. The appearance of this program window indicates that the ransomware has already encrypted all of your files, so closing it won't save your data. This version of ransomware demands between 0.171 to 0.34 BTC to restore victim's files.

The described malware variant was analyzed and researchers discovered how it infects the system. Before attacking the files stored on the target computer, the program connects to a non-existing domain, and if it fails to connect, the encryption procedure starts. One security researcher discovered such ransomware kill switch and registered the domain, making the ransomware useless. However, since then, the virus has been updated.

WannaCry 2.0 ransomware virus. Since all the news sites rushed to post about the kill switch discovered by the malware researcher, authors of the ransomware pushed out a new ransomware version that evades the kill switch[13]. Luckily, the infection rate has slowed down, and although the ransomware is active, it still means something.

It is believed that the second version is not developed by original WannaCry authors, which simply shows that criminals only need to modify the code a little to start attacking users again. According to reports, the malicious virus spreads via fake Excel documents, so if a stranger sends you one via email, do not open it!

DarkoderCrypt0r ransomware virus. DarkoderCrypt0r virus is an imitation of the powerful ransomware that has recently hit the virtual community. It adds .DARKCRY extensions to corrupted files and launches a program that looks almost identically as Wana Decrypt0r 2.0.

Instead of displaying a countdown clock that shows how much time the victim has to pay the ransom until the ransom doubles, the virus displays “3 days.” It asks for the same sum of money as the real virus. This version does not have worm-like features, therefore it doesn't spread the same way as the original virus.

WannaCry imposter DarkoderCrypt0r ransomware
DarkoderCrypt0r is an imposter of WannaCry which has similar ransom note.

FakeCry ransomware virus. FakeCry virus is also known as WannaCry clone virus. It is one of those viruses that recently attacked Ukraine. According to Kaspersky, some MeDoc users were infected not only with ExPetya but with another ransomware that turned out to be a fake copy of the infamous WannaDecrypt0r 2.0 virus. The difference between the fake and the original is that the clone is developed in .NET, while the real one is written in C language.

The ransomware asks for 0.1 BTC as a ransom. The ransomware, surprisingly, has a list of extensions in DEMO_EXTENSIONS. The list contains extensions of image files only, and the ransomware suggests decrypting these file types for free. To decrypt the rest of encrypted data, the virus demands ransom.

The ransomware is distributed in the same way as ExPetya/Petya and infects systems via a dropper that extracts two files on the system. The FakeCry ransomware launches graphical user interface and the encrypter. At the moment of writing this update, no decryption tools were available for this Wannacry-lookalike.

WannaCryOnClick ransomware virus. In July 2017, another bogus WannaCry copy emerged. This time, it was dubbed as WannaCryOnClick ransomware because of its ability to send email messages to virus' developers as soon as the victim clicks on “Decrypt” or “Check Payment” buttons available in the ransom-demanding program.

The virus is also known as Fake Turkish WannaCry because the ransom note is written in this language. The criminals state that the victim has to pay $7000 in Bitcoin to retrieve data decryption key. However, people who fell victims to this ransomware should not waste their money because criminals most likely won't provide the decryption key even after paying the ransom.

WannaCry imposter WannaCryOnClick ransomware
WannaCryOnClick is a fake WannaCry version which tries to deliver similar ransom notes.

WannaDie ransomware virus. WannaDie or WanaDie pretends to be a Russian version of WannaCry. The malicious program was discovered in November 2017. The virus corrupts files with .wndie file extension and demands to pay the ransom in order to recover files with Wanna die decrypt0r. However, the virus does not employ a real encryption algorithm, so paying the ransom is not needed.

Fake Portuguese WannaCry. On November 2017, cybercriminals presented another imposter that targets computer users n Portugal. Cyber criminals are known for communicating with victims via nkittybuggy8648@gmail.com email address. Even though the malicious program asks to pay 0.0060 Bitcoins for the data recovery, victims should not do that. All files can be unlocked with this code 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2. Once it’s done, malware removal with security software should be completed immediately.

Uninstalling WannaCry ransomware is the only way to retrieve damaged files

If you want to get back the access to the compromised files, you must remove WannaCry virus or it will repeat the encryption process. Since the ransomware is highly sophisticated and hides its components all across the computer, only professional removal software can help you eliminate it. For that, we suggest using Reimage, Malwarebytes, or Plumbytes Anti-MalwareNorton Internet Security.

The sooner you will disable this virus, the better, so do not waste any more time. If you have a data backup, do not rush to plug it into the compromised computer, or data copies will be encrypted as well. For best results, we suggest you follow these WannaCry removal guidelines provided by 2-Spyware team.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Malwarebytes
Alternate Software
Malwarebytes

To remove WannaCry virus, follow these steps:

Remove WannaCry using Safe Mode with Networking

To delete WannaCry virus with Safe Mode, follow each of provided steps attentively and make sure you boot your PC into the right mode. This way, you will disable the virus and create the right environment for the launch of malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove WannaCry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete WannaCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove WannaCry using System Restore

To eliminate the malicious program with System Restore, we highly suggest using steps that are given below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of WannaCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that WannaCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove WannaCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Unless you are willing to waste from $300 to $600 or have a data backup, there is no way to restore files encrypted by this fearsome virus. The malware analysts have been working hard and have already presented legitimate decryption tools. In addition, you can also try the following WannaCry data recovery options:

If your files are encrypted by WannaCry, you can use several methods to restore them:

Install and run Data Recovery Pro

Data Recovery Pro might be the right tool if you want to restore part of encrypted files. Here's how to use it.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by WannaCry ransomware;
  • Restore them.

Search for Volume Shadow Copies

Sometimes even the most sophisticated viruses can fail to complete all of the malicious tasks, therefore if you are lucky enough, the virus might leave Volume Shadow Copies in the system. To find them and use them for data recovery, install ShadowExplorer software.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try WannaCry decryption tools presented from GitHUb

If you didn't reboot your computer after infiltration of WannaCry, you can try Wannakey decrypter. If you have already reboot your machine, make sure you download WanaKiwi which is compatible with Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages