WanaCrypt0r, also known as WCry or WannaCry ransomware, is a new and really dangerous malware what for the last 24 hours infects more than 85 thousand computers all over the world. This worm use SMB exploits leaked by the Shadow Brokers for the last month, so today it has really huge mount of users what infected with this virus. Many security experts also mention that this worm also dropping the NSA’s Dounlepulsar malware what also called a “Malware Loader”, what used to download and install other malware without any detection. This malware is a Windows kernel ring-0 exploit what what also leaked by the Shadow Brokers and was used in the April to infect over 36 thousand computers.

WanaCrypt0r

WanaCrypt0r WanaCry

At this moment WanaCrypt0r has a huge mound of different victims. For example, one of them was Spanish companies like Telefonice, Iberdrola, Gas Natural and others. Another good example – WCry infection spread in the UK and infect many clinics and hospitals. UK’s the National Health Service issued an alert on the attacks earlier today.

WCry

“Shocking that our @NHS is under attack and being held to ransom.”

WCry

A ransomware spreading in the lab at the university

WCry

Niederrad train station in Frankfurt

WCry

WannaCry ransomware also hits German Train Station

WannaCry ransomware convert all user data to to file with “.WNCRY ” extension. Right after the successful encryption, user will see pop up window like on the image upper also your wallpaper will be changed like on the image below. And like many other similar viruses WCry ask fir 0.1 Butcoin to receive the key what encrypt all the data. Unfortunately, cyber criminals does not guarantee that you receive any key after the payment. That’s why we highly recommend you not to spend any money on this worm, otherwise you just support the developer, so they can create more and more alike viruses.  By the time this post created there are no tools capable of restoring files encrypted by Wcry. This problem can only be solved by restoring files/system from a backup.

Wana Decryptor

Desktop after encryption

Registry files of Wana Decrypt0r 2.0 (WannaCry):

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(random)	"\tasksche.exe"
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd	
HKCU\Control Panel\Desktop\Wallpaper	"Desktop\@WanaDecryptor@.bmp"

Files installed by Wana Decrypt0r 2.0 (WannaCry):

%Desktop%\00000000.eky
%Desktop%\00000000.pky
%Desktop%\00000000.res
%Desktop%\@WanaDecryptor@.exe
%Desktop%\@WanaDecryptor@.exe.lnk
%Desktop%\b.wnry
%Desktop%\c.wnry
%Desktop%\f.wnry
%Desktop%\msg\
%Desktop%\msg\m_bulgarian.wnry
%Desktop%\msg\m_chinese (simplified).wnry
%Desktop%\msg\m_chinese (traditional).wnry
%Desktop%\msg\m_croatian.wnry
%Desktop%\msg\m_czech.wnry
%Desktop%\msg\m_danish.wnry
%Desktop%\msg\m_dutch.wnry
%Desktop%\msg\m_english.wnry
%Desktop%\msg\m_filipino.wnry
%Desktop%\msg\m_finnish.wnry
%Desktop%\msg\m_french.wnry
%Desktop%\msg\m_german.wnry
%Desktop%\msg\m_greek.wnry
%Desktop%\msg\m_indonesian.wnry
%Desktop%\msg\m_italian.wnry
%Desktop%\msg\m_japanese.wnry
%Desktop%\msg\m_korean.wnry
%Desktop%\msg\m_latvian.wnry
%Desktop%\msg\m_norwegian.wnry
%Desktop%\msg\m_polish.wnry
%Desktop%\msg\m_portuguese.wnry
%Desktop%\msg\m_romanian.wnry
%Desktop%\msg\m_russian.wnry
%Desktop%\msg\m_slovak.wnry
%Desktop%\msg\m_spanish.wnry
%Desktop%\msg\m_swedish.wnry
%Desktop%\msg\m_turkish.wnry
%Desktop%\msg\m_vietnamese.wnry
%Desktop%\r.wnry
%Desktop%\s.wnry
%Desktop%\t.wnry
%Desktop%\TaskData\
%Desktop%\TaskData\Data\
%Desktop%\TaskData\Data\Tor\
%Desktop%\TaskData\Tor\
%Desktop%\TaskData\Tor\libeay32.dll
%Desktop%\TaskData\Tor\libevent-2-0-5.dll
%Desktop%\TaskData\Tor\libevent_core-2-0-5.dll
%Desktop%\TaskData\Tor\libevent_extra-2-0-5.dll
%Desktop%\TaskData\Tor\libgcc_s_sjlj-1.dll
%Desktop%\TaskData\Tor\libssp-0.dll
%Desktop%\TaskData\Tor\ssleay32.dll
%Desktop%\TaskData\Tor\taskhsvc.exe
%Desktop%\TaskData\Tor\tor.exe
%Desktop%\TaskData\Tor\zlib1.dll
%Desktop%\taskdl.exe
%Desktop%\taskse.exe
%Desktop%\u.wnry
%Desktop%\wcry.exe

Wana Decrypt0r 2.0 virus automatic remover:

Loaris Trojan Remover aids in the removal of Malware – Trojan Horses, Worms, Adware, Spyware – when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting WannaCry, but not always good at effectively removing it… Also, Loaris Trojan Remover can be considered as a simple cleaner – it removes not only infected files, but also other junk files that were brought by viruses and unwanted programs.

Download now Learn More

WannaCry  removal steps:

    • 1. Download Loaris Trojan Remover and scan your computer with it (advised Full scan).
    • 2. Click on “Apply” to remove all infections found after the scan is completed:

If all these steps didn’t help and you still have to deal with the adware on your PC, just contact us and we will help to set your computer free from these annoying ads!

How to Decrypt files infected with WannaCry Virus :

Here you have 2 options:

Step 1. Use full system restore option.

To do this, type System Restore in the windows search field and choose a restore point. Click Next until done.

WannaCry


Step 2. Use Recuva program and ShadowExplorer.

WannaCry


Download ShadowExplorer and install it. Use this program to restore hidden files what can be removed \ hidden by the WannaCry Virus. Be careful, and don’t launch this virus again after a restore operation.

Go to the official site for Recuva and download it from there – the free version has everything you currently need.

When you start the program, select the files types you want to recover. You probably want all files.

Next, select the location. You probably want Recuva to scan all locations.

Now click on the box to enable Deep Scan. The program will now start working and it may take a really long time to finish – maybe even several hours if your HDD is really big, so be patient and take a break if necessary.

You will now get a big list of files to pick from. Select all relevant files you need and click Recover.

 

UPDATE: The spread of the Wana Decrypt0r ransomware has been temporarily stopped after security researcher has registered a hardcoded domain included in the ransomware’s source code. Wana Decrypt0r connected to this domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) before it started its execution. The check was strange. The ransomware checked if the domain was unregistered, and if it was, it would execute. If it wasn’t, it would stop spreading, acting like a kill switch. With MalwareTech registering the domain, the ransomware now does not start anymore. Cisco Talos has confirmed the information.

(Visited 1,366 times, 1 visits today)