WannaRen ransomware (Virus Removal Instructions) - Decryption Methods Included

WannaRen virus Removal Guide

What is WannaRen ransomware?

WannaRen is the cryptovirus that resembles WannaCry virus and encrypts almost all files found on the targeted Windows system

WannaRen ransomwareWannaRen ransomware is the threat that demands people to pay for the alleged decryption tool at least 0.05 Bitcoin. WannaRen is the ransomware from hackers that is using .WannaRen file extension to mark encrypted files and then demands at least 0.05 Bitcoin for the alleged decryption tool. There are two versions of this threat: one is sending the ransom note through a text file, and the other one is using pictures. Both of the versions are based on traditional Chinese language, Bitcoin addresses are the same, and there are no additional differences, so researchers state that the virus is developed and distributed by the same actors. Some researchers report that WannaRen ransomware is only encrypting files on Windows 10 an the other ones that malware doesn't encrypt files at all. However, malware researchers often check samples on Virtual Machines, so ransomware may not act the same as on the Windows operating system. This is a serious infection that can damage the machine significantly and affect various parts of the system to ensure the persistence of the ransomware.

Name WannaRen ransomware
Target The threat is displaying ransom message in traditional Chinese language, so the target is mots likely Chinese-speaking Windows users
File marker .WannaRen is the extension that appears at the end of every encrypted file after the process of locking
Ransom note The pop-up window named WannaRen appears on the screen with a ransom message and additional pictures, the form where you can buy Bitcoins and transfer them to an included wallet address
Two versions There are two reported variants that only have one difference – the ransom note comes with text only or with additional pictures on the screen. Wallet address, extension, and other details are all the same
Ransom amount 0.05 Bitcoin
Distribution Victims report that infection appeared after installing Windows patch or other pirated cracks,[1] software. It may be the primary method of distribution, but ransomware also relies on the spam email method involving malicious files
Elimination WannaRen ransomware removal requires attention from you and professional anti-malware tools that can detect[2] this malware and remove all the programs associated with the infection
Repair You need to fully repair Windows system files and affected folders, settings. Get FortectIntego to do so and repair virus damage before you even consider data recovery options, so you can avoid losing those files

There are many victims who ask for help and answers in online forums, so it is known that WannaRen ransomware virus has already affected devices and damaged computers. Some of the reports from victims also state that infection appeared after the installations of the Microsoft Eternal Blue patch. It may indicate that the main distribution technique is pirated software packages, malicious patch files, and other data that include malicious scripts.

WannaRen acts like WannaCry, but there are no other similarities or proven relations between two campaigns or malware creators. It may be the case because WannaCry was one of the most dangerous and active ransomware threats that managed to infect at least 150 countries in 2017 alone. It caused losses that, in total, go up to $8 billion. It is common to copy other threat actors, especially when it comes to cryptocurrency extortion-based malware.

This virus appears to be in development, and attacks are in early stages, so there might be some additional updates to the coding methods and other functionalities that make the malware more dangerous. This is also the reason why information about the WannaRen virus is limited and not detailed. However, we try to provide you will all the information, so you can know how to fight the infection.

It seems that Windows 7 users are not getting file encryption when WannaRen ransomware manages to get on the machine, but Windows 10 users complain about serious damage to the system, including the file encryption. This file-locking process is achieved by using army-grade encryption algorithms and changing the original coding of the file. In most cases, these threats target files like images, documents, video or audio files, and archives, databases.

You need to remove WannaRen ransomware as soon as possible because even though it mainly relies on common file types there is a huge possibility that other processes that get triggered in the background manage to affect system preferences and folders, functions of the OS.

Once ransomware gets on the computer, these are changes that can get made by the virus itself to ensure the persistence of the infection:

  • disabled AV tools and security functions;
  • added programs and files;
  • deleted applications;
  • altered registry keys;
  • speed and performance issues.

When you decide how to perform the WannaRen ransomware removal, it is crucial when you choose the anti-malware tool because there are separate databases for malware and not all AV detection engines use the same ones, so detection results may differ. Choose the official tool and make sure to use the full system scan option to check all places of the computer.

The anti-malware program offers what to do next when the malware is detected. Double-check after the termination to be sure that the system is virus-free. Then you can run FortectIntego and repair virus damage and recover files that WannaRen ransomware encrypted. The best method is data backups from cloud or external devices. If you do not have backups, try third-party tools. We have listed a few options below.

WannaRen ransomware virusWannaRen ransomware is the cryptovirus that marks encrypted files with .WannaRen before asking for the payment.

Malicious files – in use for ransomware distribution

When malicious actors try to spread their products around as quickly and as wide as it is possible because ransomware creators care about profits and money that they can get from victims directly. Spam campaigns, when file attachments contain malware scripts, are one of the more used methods for such instances.

However, malicious files become more included in pirated software packages and gets installed when users download cracks, cheats, fake software, and license keys. There is no indication about the malicious file if you don't check the install setup for the wanted program or game cheat. This is why the method works.

Victims reported that patches, software, and other pirated content were installed before the ransomware attack. It may be an indication of a particular relation, but you should pay attention to various details if you want to avoid anything like this. Delete any suspicious emails and do not download questionable files from notifications you were not expected to receive. Experts[3] always note that spam emails can include a handful of viruses, so make sure to check the file and sender before doing anything.

Clean traces of WannaRen malware from your Windows system

WannaRen ransomware virus might still be in development and get updates or changes in the coding or added other features, so there still can be some missing pieces or even vulnerabilities that allow this threat to get removed by using anti-malware tools. In some cases, such threats can disable AV tools and security programs.

Some users report that it is difficult to remove WannaRen due to the fact that their AV tools are disabled to cannot find the malware file. So reboot the machine in Safe Mode and then run the SpyHunter 5Combo Cleaner or Malwarebytes program to find and eliminate all traces of this ransomware. You can find some tips on this method below the article.

As for the WannaRen ransomware removal, you can then run steps suggested by the program you use and follow with a thorough system cleaning. Anti-malware tools should find all related programs, but these AV detection engines cannot recover encrypted files or fully clear virus damage. FortectIntego can at least check for affected files and repair any corrupted parts for you. Then you can go through data recovery options.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of WannaRen virus. Follow these steps

Manual removal using Safe Mode

Reboot your device in Safe Mode with Networking before running the AV tool on the machine. This way you remove WannaRen ransomware

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove WannaRen using System Restore

System Restore feature gives the opportunity to recover a machine to a previous state when the virus was not active

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of WannaRen. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that WannaRen removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove WannaRen from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by WannaRen, you can use several methods to restore them:

Data Recovery Pro can gather all the encrypted files ad restore them for you

When WannaRen ransomware encrypts data, or you accidentally delete files, Data Recovery Pro can help with restoring them

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by WannaRen ransomware;
  • Restore them.

Windows Previous Versions feature recovers individual data

System Restore should be enabled beforehand for Windows Previous Versions to work properly

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method for data recovery after WannaRen ransomware infection

When Shadow Volume Copies are untouched, this feature can be used for data restoring

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

WannaRen ransomware doesn't have a decryption tool

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from WannaRen and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions