Severity scale:  

WannaCry ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

WannaCry – the ransomware virus that targets unpatched Windows computers since May 2017

WannaCry ransomware demands ransom

Questions about WannaCry ransomware virus

WannaCry is a ransomware-type cyber threat that uses RSA cryptography and appends .wcry, .wncryt or .wncry file extension to the targeted data. Following the encryption, it drops either @Please_Read_Me@.txt or Please Read Me!.txt file and displays a ransom note in a program window called Wanna Decrypt0r.

Name WannaCry
Alternative names WannaCrypt0r, Wana Decrypt0r
Type Ransomware
Danger level High. Makes system changes, encrypts files
Release date 12 May 2017
Cryptography RSA
Appended file extensions .wcry, .wncryt, .wncry
Ransom note @Please_Read_Me@.txt, Please Read Me!.txt 
Targeted OS Windows
Distribution methods EternalBlye exploit kit
To uninstall WannaCry, install Reimage and run a full system scan

WannaCry ransomware emerged on Friday, 12 May 2017[1]. The dangerous virus, which is alternatively known as WannaCrypt0r, and Wana Decrypt0r, affected more than 230 000 computers in over 150 countries within a few days.[2] However, cyber attacks continue in 2018. In March, ransomware hit the world's largest aerospace company Boeing.

The success of the attack hides in the distribution technique that aimed at outdated and unpatched Windows computers. WannaCry virus took advantage of EternalBlue exploit kit and hit various companies and organizations. However, healthcare sector suffered the most[3].

WannaCry ransomware wallpaper

According to reports, the first big companies affected by this ransomware were Telefonica, Gas Natural and Iberdrola. Some of the victims had data backups, while others had to face tragic consequences. Without exception, all victims are advised to carry out WannaCry removal as soon as possible as it can help to prevent ransomware from spreading further.  

Ransomware acts like a worm[4] because as soon as it gets into the target PC, it starts looking for other computers to infect. It uses a security loophole in Windows OS and rapidly spreads using file sharing tools (such as Dropbox or shared drives) without asking for victim’s permission to do so.

WannaCry ransom note

The purpose of WannaCry is to collect ransoms in Bitcoins. After data encryption, the malware displays a ransom note where victims are urged to pay a ransom ranging from $300 to $600 in Bitcoins. Hackers try to scare people into paying the money by telling that their files will be deleted if they fail to pay within 7 days deadline.

However, security specialists urge to remove WannaCry from the affected systems instead of paying the ransom. There are several decrypters, Wannakey and Wanakiwi, presented by security experts that you can download from the Internet for free. Additionally, if you have backups, you can recover data after cleaning the device with Reimage or another malware removal software. 

The analysis of WannaCry attack 

The main WannaCry ransomware infection vector is an EternalBlue exploit, which is a cyber-spying tool stolen from US National Security Agency (NSA) and published online by a hacker group known as Shadow Brokers. The EternalBlue exploit targets Windows CVE-2017-0145[5] vulnerability in Microsoft’s implementation of SMB (Server Message Block) protocol.

The vulnerability is already patched, suggests Microsoft’s security bulletin MS17-010 (released on 14 May 2017). The exploit code used by perpetrators was meant to infect outdated Windows 7 and Windows Server 2008 systems, and reportedly users of Windows 10 cannot be affected by the virus. The malware typically arrives as a dropper Trojan that contains the exploit kit and the ransomware itself. 

The latest WannaCry variants are distributed via girlfriendbeautiful[.]ga/hotgirljapan.jpg?i=1 in APAC region. After gaining access to the target computer, the virus creates a folder in the C:\ProgramData and entitles it with a set of random chars. The new folder contains tasksche.exe executable file.

The ransomware can also save its components into C:\Windows directory, dropping two files – mssecsvc.exe and tasksche.exe. The virus executes Icacls . /grant Everyone:F /T /C /Q command to get access to all of victim's files. The virus is set to connect to a non-existing domain and if it fails to open, the ransomware infects the system. One of such domains was purchased by a security researcher MalwareTech, therefore viruses that used to connect to that domain failed to infect computer systems.

Main facts about WannaCry ransomware

What is more, cyber criminals attempted to DDoS that domain to continue the activity of the ransomware, however, unsuccessfully. Sadly, attackers understood their mistake and shortly released updated variants of the malware that connect to different domains, so from now on it won't be easy to fight against this malicious program.

The ransomware can affect anyone who lacks knowledge about ransomware distribution, therefore we suggest reading this Wanna Cry ransomware prevention guide that our experts prepared:

  1. Install MS17-010 system security update that Microsoft recently released. It addresses this particular vulnerability that the ransomware addresses. The updates were exceptionally released even for old OS such as Windows XP or Windows 2003.
  2. Keep the rest of computer programs up-to-date.
  3. Install a reputable anti-malware software to defend your computer against illegal attempts to infect your computer with malicious programs.
  4. Never open emails that come from strangers or companies that you have no business with.
  5. Disable SMBv1 using instructions provided by Microsoft. If these instructions seem confusing, try the method provided in the next step.
  6. Apply a quick fix – install WannaSmile tool, which was developed by a developer Hrishikesh Barman. This tool automatically disables SMB, edits host file to add Google's IP to the “kill-switch” (online fix) and creates a lightweight local web server and add localhost to “kill-switch” (offline fix).
  7. Look for more tips in this guide on how to survive WannaCry attack.

WannaCry ransomware

UPDATE. March 2018: Aerospace company Boeing reports about the WannaCry attack

On Wednesday, March 28, Boeing chief engineer Mike VanderWelm reported about detected WannaCrt virus on the computer systems. At first, it was thought that malware might affect Boeing’s production systems and airline software. Fortunately, ransomware hasn’t caused such huge damage, as it was expected.[6]

Later on, the head of Boeing communications ensured that malware affected only a few devices. However, the problem is under control, and no issues were detected on production lines.

UPDATE: November 2017: Fake WannaCry variants target Portugal and Russian 

Russian computer users were hit by WannaCry imposter known as WannaDie (or WanaDie) ransomware in November. The virus appends .wndie file extension and asks to obtain Wanna die decrypt0r – the tool that can help to restore corrupted files. However, technically it does not encrypt files.

The same situation is with a fake Portuguese WannaCry variant.[7] This malicious program also is unable to decrypt files yet. However, it is ready to start swindling 0.0060 Bitcoins from threatened computer users. But affected files can be recovered by using the 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2 unlock key.

WannaCry imposter called WannaDie

Both fake WannaCry variants use a similar design of the ransom note as the original variant. Victims are also asked to pay the ransom within 3 days; otherwise, the size of the ransom will increase, and after 7 days, the decryption key will be destroyed.

However, if these variants would ever start encrypting files, paying the ransom should not be considered. It is most likely to lead to money loss.

UPDATE August 2017: LG self-service kiosks in South Korea hit by WannaCry 

On Wednesday, August 16, LG self-service kiosk[8] users in South Korea reported noticing WannaCry ransom note.[9] The company admitted that the systems were corrupted by crypto-malware. Though the message indeed looks identical, it is too soon to conclude that the variation of the said cyber menace infiltrated the systems. Due to a number of file-encrypting threats claiming to be WannaCry emerging after the assault, it is likely that it might be another impostor.

The original malware succeeded in wreaking global chaos since multiple companies worldwide failed to update their  Windows operating system. Specifically, the malware targetted weak SMB protocols in Windows 7 version. South Korea was also one of the most affected countries. Thus, LG company failed to update their kiosk systems raised a surprise if not suspicions.

MalwareTech arrested soon after slowing down ransomware distribution

Marcus Hutchins, who is better known as MalwareTech, created a significant impact on WannaCry prevention. He discovered a malicious domain and registered it. As a result, the worldwide distribution of the ransomware has been slowed down.

However, on the 2nd of August, it was reported that FBI arrested 23-year old, UK-based malware researcher.[10] The US authorities pressed the charges for creating and selling a banking Trojan Kronos.

According to the official document,[11] Hutchins created the virus in July 2014 and later tried to sell it for $3,300. At the beginning of 2015, he has updated Kronos malware and advertised in dark web forums. Finally, he is suspected of selling the malicious program for about $2,000.

Unsuccessful ransomware business: only $143,000 collected

Undoubtedly, the main purpose of the ransomware viruses is to swindle the money from the computer users. However, authors of the WannaCry did not succeed in this task. It seems that during the three months time, only 338 victims paid demanded the sum of money.[9]

On August 3, it was noticed that collected ransoms were drained from three Bitcoin wallets used by cyber criminals. The virtual currency has been transferred to nine other Bitcoin accounts.[12] However, it’s not clear the money has been sent and what purposes hackers have.

There’s no doubt that these transactions are being monitored. Europol and the U.S. Department o Justice are working on this cyber attack. However, any official statements haven’t been released yet.

Variants of WannaCry ransomware virus

.wcry file extension virus. It is believed to be the first version of the infamous ransomware. It was first spotted at the beginning of February 2017, and at first, this virus did not seem like one that could surpass the most prevalent viruses like Cryptolocker, CryptXXX or Cerber.

The virus uses AES-128 cryptography cipher to lock files securely, adds .wcry file extensions to their filenames and asks to transfer 0.1 Bitcoin to a provided virtual wallet. The malware was initially distributed via email spam; however, this particular virus did not bring a lot of income for its developers. Although files encrypted by this ransomware appeared to be unrecoverable without having the decryption key, developers of it decided to upgrade the malicious program.

.WNCRY file extension virus. The ransomware version that belongs to the described malware category emerged in 2017 and has been entitled due to its ability to append .wncry file extension to every encrypted file. You can use a free decryption tool that will restore files marked with these file extensions for you.

The ransomware is currently under analysis, so victims are advised to remove the ransomware and keep the encrypted data because, in the future, researchers might find a way to restore corrupted files. Just like the rest of the crypto-ransomware family members, virus demands a ransom in Bitcoins that's worth $300-$600.

WCrypt ransomware virus WCrypt virus is an alternative name to the main ransomware. The ransomware has devastated files all over the globe, and new versions keep showing up.

Researchers have noticed that certain variants of this ransomware append .wcryt or .wncrypt extension to files, which gives an idea where the alternative name of the ransomware comes from. If your antivirus detects an infection called WCrypt, eliminate such virus and everything related to it ASAP!

WannaCryptor ransomware virus. WannaCryptor is also an alternative name of the ransomware, which is used by several anti-spyware and antivirus programs. If your security software blocked Trojan.Ransom.WannaCryptor.H, you should know that the infamous ransomware has just attempted to step into your system.

If it succeeded to do so, it would have encrypted all of your files and asked for $300-$600 as a ransom. This name is used according to Wanna Decryptor 1.0, which the malware opens after encrypting all files. Victims reported that this ransomware adds .wcry file extensions to corrupted records.

WanaCrypt0r ransomware virus. It is yet another name for the updated version of the ransomware. The new version chooses Windows vulnerabilities as its primary attack vector and encrypts all files stored on the system in seconds.

Affected files can be recognized from extensions added to the filename right after the original file extension – .wncry, wncryt, or .wcry. There is no way to restore corrupted data without having a backup or the private key created during the data encryption process. The virus typically demands $300, although it raises the ransom price to $600 if the victim fails to pay up within three days.

WanaCrypt0r 2.0 ransomware virus. It is the name of an updated WannaCryptor variant, which launches Wana Decrypt0r 2.0 after encrypting user's files. This malicious program was used to attack computer users worldwide during the cyber attack launched on May 12, 2017.

According to the latest reports, the total of ransoms paid to Bitcoin wallets that belong to cyber criminals reached $60,000 already. The virus appends .WNCRY file extensions to encrypted files drops a ransom note called @Please_Read_Me@.txt. At the moment, malware researchers cannot provide any tools that could restore data that this malicious program corrupts.

Wana Decrypt0r ransomware virus. This is the program that the virus launches after a successful infiltration to the target system. The researchers already noticed Wanna Decryptor 1.0 and Wanna Decryptor 2.0 versions approaching victims.

The malicious software displays a countdown clock showing how much time has left to pay the ransom until the price of it skyrockets, and also identical countdown clock that shows how much time has left until the virus deletes all data from the computer. This particular version shook the virtual community on 12 May 2017, although several days later it was stopped by a security researcher who goes by the name of MalwareTech.

Wana Decrypt0r 2.0 ransomware virus. This program has shocked hundreds of thousands of computer users worldwide because in May 2017 it managed to infect over 230k computers in more than 150 countries. The appearance of this program window indicates that the ransomware has already encrypted all of your files, so closing it won't save your data. This version of ransomware demands between 0.171 to 0.34 BTC to restore victim's files.

The described malware variant was analyzed and researchers discovered how it infects the system. Before attacking the files stored on the target computer, the program connects to a non-existing domain, and if it fails to connect, the encryption procedure starts. One security researcher discovered such ransomware kill switch and registered the domain, making the ransomware useless. However, since then, the virus has been updated.

WannaCry 2.0 ransomware virus. Since all the news sites rushed to post about the kill switch discovered by the malware researcher, authors of the ransomware pushed out a new ransomware version that evades the kill switch[13]. Luckily, the infection rate has slowed down, and although the ransomware is active, it still means something.

It is believed that the second version is not developed by original WannaCry authors, which simply shows that criminals only need to modify the code a little to start attacking users again. According to reports, the malicious virus spreads via fake Excel documents, so if a stranger sends you one via email, do not open it!

DarkoderCrypt0r ransomware virus. DarkoderCrypt0r virus is an imitation of the powerful ransomware that has recently hit the virtual community. It adds .DARKCRY extensions to corrupted files and launches a program that looks almost identically as Wana Decrypt0r 2.0.

Instead of displaying a countdown clock that shows how much time the victim has to pay the ransom until the ransom doubles, the virus displays “3 days.” It asks for the same sum of money as the real virus. This version does not have worm-like features, therefore it doesn't spread the same way as the original virus.

WannaCry imposter DarkoderCrypt0r ransomware

FakeCry ransomware virus. FakeCry virus is also known as WannaCry clone virus. It is one of those viruses that recently attacked Ukraine. According to Kaspersky, some MeDoc users were infected not only with ExPetya but with another ransomware that turned out to be a fake copy of the infamous WannaDecrypt0r 2.0 virus. The difference between the fake and the original is that the clone is developed in .NET, while the real one is written in C language.

The ransomware asks for 0.1 BTC as a ransom. The ransomware, surprisingly, has a list of extensions in DEMO_EXTENSIONS. The list contains extensions of image files only, and the ransomware suggests decrypting these file types for free. To decrypt the rest of encrypted data, the virus demands ransom.

The ransomware is distributed in the same way as ExPetya/Petya and infects systems via a dropper that extracts two files on the system. The FakeCry ransomware launches graphical user interface and the encrypter. At the moment of writing this update, no decryption tools were available for this Wannacry-lookalike.

WannaCryOnClick ransomware virus. In July 2017, another bogus WannaCry copy emerged. This time, it was dubbed as WannaCryOnClick ransomware because of its ability to send email messages to virus' developers as soon as the victim clicks on “Decrypt” or “Check Payment” buttons available in the ransom-demanding program.

The virus is also known as Fake Turkish WannaCry because the ransom note is written in this language. The criminals state that the victim has to pay $7000 in Bitcoin to retrieve data decryption key. However, people who fell victims to this ransomware should not waste their money because criminals most likely won't provide the decryption key even after paying the ransom.

WannaCry imposter WannaCryOnClick ransomware

WannaDie ransomware virus. WannaDie or WanaDie pretends to be a Russian version of WannaCry. The malicious program was discovered in November 2017. The virus corrupts files with .wndie file extension and demands to pay the ransom in order to recover files with Wanna die decrypt0r. However, the virus does not employ a real encryption algorithm, so paying the ransom is not needed.

Fake Portuguese WannaCry. On November 2017, cybercriminals presented another imposter that targets computer users n Portugal. Cyber criminals are known for communicating with victims via email address. Even though the malicious program asks to pay 0.0060 Bitcoins for the data recovery, victims should not do that. All files can be unlocked with this code 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2. Once it’s done, malware removal with security software should be completed immediately.

Delete WannaCry ransomware and recover files

You should only rely on professional ways to remove WannaCry virus and not try to uninstall this malicious program manually. The virus is extremely dangerous and it uses sophisticated measures to spread through the entire computer system and also infect connected computers and smart devices. Therefore, you should obtain reputable malware removal software, such as Reimage or Malwarebytes Anti Malware.

The sooner you will disable this virus, the better, so do not waste any more time. If you have a data backup, do not rush to plug it into the compromised computer, or data copies will be encrypted as well. For best results, we suggest you follow these WannaCry removal guidelines provided by 2-Spyware team.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove WannaCry ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall WannaCry ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual WannaCry virus Removal Guide:

Remove WannaCry using Safe Mode with Networking

To delete WannaCry virus with Safe Mode, follow each of provided steps attentively and make sure you boot your PC into the right mode. This way, you will disable the virus and create the right environment for the launch of malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove WannaCry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete WannaCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove WannaCry using System Restore

To eliminate the malicious program with System Restore, we highly suggest using steps that are given below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of WannaCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that WannaCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove WannaCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Unless you are willing to waste from $300 to $600 or have a data backup, there is no way to restore files encrypted by this fearsome virus. The malware analysts have been working hard and have already presented legitimate decryption tools. In addition, you can also try the following WannaCry data recovery options:

If your files are encrypted by WannaCry, you can use several methods to restore them:

Install and run Data Recovery Pro

Data Recovery Pro might be the right tool if you want to restore part of encrypted files. Here's how to use it.

Search for Volume Shadow Copies

Sometimes even the most sophisticated viruses can fail to complete all of the malicious tasks, therefore if you are lucky enough, the virus might leave Volume Shadow Copies in the system. To find them and use them for data recovery, install ShadowExplorer software.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try WannaCry decryption tools presented from GitHUb

If you didn't reboot your computer after infiltration of WannaCry, you can try Wannakey decrypter. If you have already reboot your machine, make sure you download WanaKiwi which is compatible with Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from WannaCry and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Removal guides in other languages