Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Dec 2020

How to remove WannaScream ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

WannaScream ransomware – a computer virus that encrypts all victims' personal files and demands a ransom for a decryption tool

WannaScream ransomware

WannaScream ransomware is a cryptovirus that locks all non-system files on an infected victim's computer and tries to extort cryptocurrency as a ransom for a promised decryption toolkit. This virus encrypts all files with an army-based AES-256 coding algorithm.[1]

As soon as the virus gets access to a device, it starts its bidding. All files personal files like pictures, videos, documents, archives, backups, etc., are appended with the WannaScream extension, as well as other components – this renders files inaccessible. For example, a file “document.html” is turned into “document.html.[Filemgr@tutanota.com][1E857D00].WannaScream.”

Just like other versions H@RM@ or NORD, following successful encryption, the WannaScream file virus creates two types of ransom notes – a pop-up window (WannaScream.hta) and many text documents (README.txt) in all folders with renamed personal victim files. Both messages in the ransom notes are identical and demand victims to pay ransom for a decryption too

name WannaScream ransomware, WannaScream file virus
type Malware, Ransomware
Other versions
Appointed file extension A tricky extension is added to the original filenames in this sequence: original filename.[Filemgr@tutanota.com][appointed victim ID].WannaScream
Ransom note A pop-up window, titled WannaScream.hta, and hundreds of text files, named README.txt
Criminal contact details Filemgr@tutanota.com and Cryptor6@tutanota.com
Ransomware Removal All ransomware should be removed immediately with the help of professional anti-malware software
System tune-up Following a successful WannaScream ransomware removal, a system repair is a must. We suggest using the FortectIntego tool to fix any damage the malware might have caused to the system registry and other essential system settings

In the first part of the ransom notes, creators of WannaScream ransomware explain to victims that all their data was locked, and if they want to get it back, they have to establish a contect via the two given emails – Filemgr@tutanota.com and Cryptor6@tutanota.com. Also, an appointed, unique user ID is provided. The ransom amount isn't specified, but the hackers state that it depends on how quickly the victim contacts them. The preferred payment method is Bitcoins.

In the second part, WannaScream ransomware developers try to build a fake trust relationship by offering their victims a free decryption guarantee of any five files from the infected device. The files can't be archived and shouldn't exceed 10Mb. By doing this, the cybercriminals are trying to prove that they really possess the necessary decryption tool and will forward it to the victims after the payment is made.

The third part consists of detailed instructions on how to obtain the necessary cryptocurrency in question. The last part of the WannaScream virus note is composed of warnings. The perpetrators urge the victims not to rename the encrypted files and not try any third-party decryption tools, which might lead to permanent data loss.

WannaScream ransomware virus

All malware, no matter if it's pesky adware or perilous trojans, must be eliminated from all devices ASAP. Remove WannaScream ransomware automatically with the help of reliable anti-malware software. We recommend trying apps like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to eliminate the cryptovirus automatically.

Ransomware is able to mess up the system registry and other core system settings, so after WannaScream ransomware removal, it is highly recommended to perform a full scan with a system repair tool like the FortectIntego to find and fix any system irregularities that the virus might have caused.

Message from the makers of WannaScream ransomware to their victims in the README.txt files looks like this:

[+] All Your Files Have Been Encrypted [+]

 [-] Do You Really Want To Restore Your Files?
 [+] Write Us To The E-Mail : Filemgr@tutanota.com
 [+] If you did not get any response until 24 hours later,Write to this E-Mail : Cryptor6@tutanota.com
 [-] Write Your Unique-ID In The Title Of Your Message.
 [+] Unique-ID : 1E857D00
 [-] You Have To Pay For Decryption In Bitcoins.
 [-] The Price Depends On How Fast You Write To Us.
 [-] After Payment We Will Send You The Decryption Tool
 That Will Decrypt All Your Files.
 ________

          [+] Free Decryption As Guarantee [+]

 [-] Before Paying You Can Send Us Up To 5 Files For
 Free Decryption, The Total Size Of Files Must Bee Less
 Than 10MB, (Non Archived) And Files Should Not Contain
 Valuable Information (Databases, Backups, Large Excel
 -Sheets, Etc).
 ________

             [+] How To Obtain Bitcoins [+]

 [-] The Easiest Way To Buy Bitcoins Is LocalBitcoins
 Site : https://localbitcoins.com/buy_bitcoins
 You Have To Register, Click 'Buy Bitcoins', And Select
 The Seller By Payment Method And Price.
 [-] Also You Can Find Other Places To Buy Bitcoins And
 Beginners Guide Here:
 http://coindesk.com/information/how-can-i-buy-bitcoins
 ________

                  [+] Attention! [+]

 [-] Do Not Rename Encrypted Files.
 [-] Do Not Try To Decrypt Your Data Using Third Party
 -Software, It May Cause Permanent Data Loss.
 [-] Decryption Of Your Files With The Help Of Third
 Parties May Cause Increased Price (They Add Their Fee
 To Our) Or You Can Become A Victim Of A Scam.
 
________DARKCRYPT_Ransomware________

Avoiding most common distribution techniques of ransomware

Numerous malware types [2] are spread out through the internet and are lurking for unaware everyday computer users to click on them. Some could be hidden in deceptive ads, others in freeware bundles. But the most common ways the ransomware is distributed is through file-sharing platforms and spam emails.

File-sharing platforms such as torrent sites like The Pirate Bay are rattled with all kinds of malware, including ransomware. Cybercriminals are trying to outsmart computer users by naming their creations as something that would lure them in. For example, a new unlocked licensed software, or a crack for some latest game. When such disguised malware is downloaded, the infection of the device is started immediately. So refrain from using such platforms.

Spam email is another popular method used by the hacker to spread their “products”. Although most email providers have spam folders, some of these emails are so intricate that they surpass the provider's security and end up in regular inboxes. These emails might look like valid letters from banks, shipping companies, medical institutions, etc. However, threats lie in wait within them.

These emails contain either hyperlinks to malicious sites, where a virus payload file is downloaded automatically after visiting them or infected attachments, that when opened or downloaded, initiate an infection process instantly. Please look through the message thoroughly. Maybe there are some grammatical mistakes or other spottable irregularities. Avoid opening any hyperlinks and always scan email attachments with anti-malware software before downloading them.

WannaScream virus

Guidelines on how to remove WannaScream ransomware from encrypted devices

There are no guarantees that after paying the ransom, the decryption tool will be provided. Instead of dealing with cybercriminals, victims should remove WannaScream virus immediately and search for other data recovery methods. Few possible data retrieval techniques (including a free decryption tool for the older version of the cryptovirus) are displayed at the bottom of this article.

Malware can be eliminated manually, but it isn't easy at all, so we suggest entrusting professional anti-malware software with WannaScream ransomware removal. To do it automatically, we suggest using any of these two time-tested apps – SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

When your device is virus-free, you're still not out of the woods. Ransomware usually alters various system settings such as registry to help it thrive within the infected machine. So experts[3] recommend using a system tune-up tool like the FortectIntego to find and fix any system irregularities that might cause abnormal device behavior, such as severe lag, crashing, etc.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.