How to remove Ransom_wcry.sm2 virus and restore encrypted files

Ransom_wcry.sm2 is the dangerous software infecting PC's mostly via Trojans and scam e-mails. Sometimes fraudsters use zero-day vulnerabilities to take control over the PC, but well-known software vendors quickly correct them. When infection takes place, ransomware examines the hard drive to find the files for encryption and their rough price. Currently, each new virus can cypher text, image, audio and video info in all most used extensions. Ransom_wcry.sm2 encrypts all files, but the ones that look like business correspondence go first. Ransom_wcry.sm2 encrypts only information, and doesn't affect the software, so that the user can pay the ransom via an infected PC. The process is executed via world-known AES and RSA algorithms, and it is so complicated that that decipherment of data without a key is impossible. This is the foundation for unbelievable success of this type of viruses in recent years: an ordinary customer, even if he has a pretty good knowledge of the PC, will never get back the data, and will have to pay ransom. The sole method to decrypt the data is to find the scam website and obtain the master key. Some skilled malware researchers can obtain encryption keys due to faults in the code of the virus itself.

The article is about Ransom_wcry.sm2 ransomware which infects customers' systems around the world, and cyphers the files. Here you will see full info on Ransom_wcry.sm2's essence, and how to delete Ransom_wcry.sm2 from the system. Except that, we will explain how to restore the cyphered data, if possible.

For any kinds of dangerous programs, one statement is correct: it is way easier to prevent it than to cure it. It's sad to say, but most people see the importance of PC knowledge only after ransomware infection. To shield your information, you must remember these three elementary regulations:

    • Be careful with the e-mails that contain data. If you don't know who send an e-mail and it is about receiving any prize, a lost parcel or anything like that, this is most likely ransomware. The other popular type of these messages is a forgery for business correspondence. It is natural to take an interest and click on the e-mail even if it might be not for you, but don't forget that one click on the attached file might cost you lots of efforts, money and time.
    • Don't accept any alterations to the system, coming from suspicious programs. If the PC is penetrated by ransomware, it will try to delete the shadow copies of your data, to make the recovery less possible. However deleting of copies requires administrator rights and confirmation from the user. The second of thinking before confirming the changes might save your information and your time.
    • Monitor the status of your computer. File encryption is a complex operation that needs a significant amount of hardware resources. When the virus starts to operate, the system slows down, and the encrypting process can be seen in Process Manager. You can recognize this event and shut down the PC before files will be fully damaged. Surely, some files will be encrypted, but the rest of them will remain intact.

We draw your attention to the fact that the removal of ransomware is only the first and obligatory turn for the standard operation of the system. To get back the files you'll have to familiarize with the advices in the next chapter of this entry. To eliminate any virus, user needs to launch the system at safe mode and run the scanning via antivirus software. We don't suggest you to delete the virus by hand, since it has numerous defensive mechanics that could counteract you. The most effective viral defensive manner is the deletion of information in case of file recovery or Ransom_wcry.sm2 deletion attempt. This is very undesirable, and the below part will assist you to avoid it.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware

Detects viruses fully: all files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects virus on the computer, you will need to purchase SpyHunter's malware removal tool to delete viruses. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After deleting the ransomware from the system, it only remains to recover the corrupted files. Actually, this is not about decryption, since the encryption manners owned by scammers are extremely complicated. More often than not, to restore the data, you should seek support on anti-malware communities or from renowned virus fighters and antiviral software manufacturers. If you don't want to wait and are willing to get back the information by hand - here's the useful entry on data recovery.

To restore information, follow the article about files decryption.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.