What is WannaCry virus, how to remove it and restore WNCRY files

Wanna Cryransomware

A few days ago, starting from May 12, 2017, the world was swept by a wave of infection with a ransomware called WannaCry - a new version of Wana Decryptor virus. This virus not only infected ordinary users' computers, but also penetrated the networks of large corporations, such as the Spanish company Telefonica, the American FedEx delivery service and some of the banks in different countries. At the moment, this can be called the most massive attack of malicious programs of this type, and in order for you to get the right idea about the situation, we should start from the very beginning. If you are not interested in additional information, then you should only know that files encrypted by WannaCrypt cannot be decrypted without paying a ransom. Many virus researchers are working in this direction, but so far - unsuccessfully. The only thing you can do is download the backups. If there are no backups, it will be best to remove the virus from the computer so that it does not interfere with further work. Instructions on how to remove it can be found in the "WannaCrypt deletion" section.

Update: there are decryptors!

Windows XP: https://github.com/aguinet/wannakey

Windows 7, XP, 2003, Vista, 2008: https://github.com/gentilkiwi/wanakiwi/releases

Unfortunately, it works only if you did not reset your system after encryption.

Concerning the features of the virus, it can be said that it uses the already known bunch of AES and RSA algorithms, encrypting the user's files with one of them and encrypting the encryption keys with the other. The virus supports more than twenty major languages and can encrypt files in most of the popular extensions. After encryption, the virus adds the .wncry extension to the file name. The repayment amount for the average user is $300, but if you do not pay the ransom for three days, the amount will be doubled. If you fail to pay within a week, hackers threaten to delete all data without the possibility of recovery.

WNCRY encrypted files

So, it all started with the fact that a group of hackers, known as the NSA or the Equation Group, posted a package of vulnerabilities to the Dark Web for a variety of systems, including site administration systems, hacking tools for Windows, and vulnerabilities in software for many banking systems around the world. The price of the lot was 1 000 000 BTC, which is approximately more than $550 millions and no one has bought it. Subsequently, another group of hackers (the Shadow Brokers) cracked the NSA database, and laid out all the vulnerabilities in open access.

How WannaCrypt infects computers

WannaCrypt0r ransomware was discovered in the early days of May, but it spread quite slowly, and experts found that it does not pose a serious threat. This was a mistake, as in a week WannaCrypt became the most dangerous virus of the year, cracking the systems of a lot of ordinary users, as well as some large corporations with the vulnerability of ETERNALBLUE, published by the Shadow Brokers.

The penetration is performed using the Samba TCP 445 port. The worm scans the network for a Windows-based server that use this port, and penetrates it using the ETERNALBLUE vulnerability. After penetration, the worm creates a copy of itself and continues searching, while the copy installs WannaCrypt on the computer. A copy of the worm accesses the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and if the request is not successful, the virus is installed on the computer. If the request is successful - the virus is completely removed from the computer and no infection occurs.

Computer infected by Wana Crypt

The virus researcher, known by his nickname on Twitter as Malware Tech, used this penetration mechanism to stop the spread of the virus. Investigating the virus code, he saw the address, to which the virus occurs, and registered the domain. Thus, the current version of the virus now does not spread over the network, and stopping the largest wave of infection with ransomware cost the researcher as much as £ 10. You should be aware that the virus is still dangerous, and that encrypted files can not be deciphered. Moreover, from day to day it is expected that hackers will release a new version of the virus, which will perform verification in some other way.

How to protect the system from WannaCrypt0r

We want to draw your attention to the fact that the virus can continue to spread at any time. Hackers will only need to rewrite a few lines of code in order to launch a new version of WannaCrypt0r, which will be even more dangerous than the previous one. To prevent the virus from entering the computer, you will need to update the OS using patches released under MS17-010 update. If you do not, then when WannaCrypt0r penetrates your PC, you will lose all your files. WannaCrypt differs from most of the ransomware that we investigated before, since hackers rely entirely on the worm program, and do not use common methods such as bundled installation and sending out spam by email. This means that basic tips such as "keep watchful" and "do not download programs from torrents" will not help you. To secure your data from the attack of hackers, you must follow the instructions given below.

WannaCrypt deletion

We have compiled a special instruction that will help you remove WannaCrypt from the system and protect you against infection by this program in the future. All the items in the instruction are mandatory, and you should follow the specified order of execution. Some of the operations listed in the instructions may seem to you too complicated, and for this case we made a video instruction which can be found below. If you have any problems with the implementation of any of the items - write in the comments and we will help you with it.

Step 1. Download security update MS17-010 for Windows

You can follow nex link: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Step 2. Fix vulnerability of the system

Start -> Cmd ->Right click o cmd.exe -> Choose Start as Administrator

Write next command and press Enter Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"

Step 3. Boot system in the Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 4. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 5. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 6. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 7. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

Step 8. Update Windows

Launch security patch MS17-010 that you downloaded earlier.

WannaCrypt files recovery

Unfortunately, at the moment there is no data that anyone could extract WannaCrypt encryption keys. Work in this direction is ongoing, and will be conducted until the result is obtained, since the virus caused huge damage not only to ordinary users but also to large companies. If you did not backup the system or important data, then you do not have any 100% reliable way to restore the files. However, there are ways that, although they do not guarantee success, can work. The thing is that in the course of its work the virus usually removes shadow copies of encrypted files. This operation requires administrator rights, and during its execution the user sees the UAC window in which he is being asked, does he really want to allow the following program to make changes to this computer. If you have confirmed that you allow the changes to be made, you have no chance of recovering. Otherwise, you should read our article on file recovery, which, among other things, describes how to restore data from shadow copies.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.