How to remove WannaSmile virus and restore encrypted files

That item is about WannaSmile ransomware that gets into customers' laptops around the world, and corrupts the files. Here you will see important information about what is WannaSmile, and how to remove WannaSmile from the workstation. Except that, we'll explain how to restore the corrupted data, if possible.

WannaSmile ransomware virus

WannaSmile is the malicious program penetrating workstations mainly via e-mail spam and Trojans. Also, scammers use exploits to take control over the PC, but they are promptly corrected. When infection is done, the virus inspects the hard drive, defines the amount of files for encryption and their rough cost. Mainly, virus attacks Iran's organizations, but other countries have problems with ransomware too. Any ransomware virus knows how to cypher text, audio, image and video information in all popular formats. Extra attention is attracted to businesslike documents, since businessmen are the main target for fraudsters. Ransomware targets only information, and doesn't touch the programs, so that user can use the computer to pay the ransom. The process is performed via world-known RSA and AES algorithms, and it is so complex that that decipherment of information with no key is impossible. Such complexity is the foundation for unbelievable efficiency of this type of viruses in recent years: an ordinary user, even if he has a fairly good knowledge of the PC, will never recover the files, and will be forced to pay ransom. The only method to recover the data is to crack the fraudster's webpage and retrieve the master key. Some skilled malware researchers can retrieve the keys due to flaws in the code of the virus itself. During the encryption, WannaSmile changes the extension of files to .Wsmile, and requires 20 BTC to pay. Victim can see reqirements in How_to_decrypt_files.html document.

For any kinds of computer viruses, one thing is correct: it is way easier to prevent it than to cure it. For ransomware this is very relevant, since, unlike regular dangerous programs, after removing ransomware from the system, the fruits of its doings will stay. To guard your system, you have to keep in mind these three simple regulations:

    • Carefully study your mailbox, specifically those messages that have attached files. The very popular pattern of fraud letters is the story about prize winning or package obtaining. The #2 efficient sort of fraud letters is a "business messages". lawsuits, Bills for goods or services, summaries, appeals and suchlike specific information do not be sent without warning, and the receiver should know the person who sent it. In all other cases it is a scam.
    • Do not neglect the red flags that your PC shows. It needs much of hardware power to encode the data. When the ransomware is starting to operate, the CPU speed decreases, and the encryption process is visible in Process Manager. You may recognize this event and switch off the workstation before files will be completely damaged. These measures, in case of penetration, will protect some of your files.
    • Heed to the pop-up windows. The most efficient method of information recovery is the restoration from Shadow Copies, and the developers of ransomware have included the deletion of those copies into the primary features of ransomware. Anyway, deletion of copies requires administrator rights and verification from the operator. If you'll stop for a moment before verifying the pop-up, it can save your information and your efforts.

You should know that the removal of the virus is only the first and required move for the normal work of the workstation. To decrypt the information you'll need to familiarize with the instructions in the below chapter of our entry. To get rid of WannaSmile, user needs to boot the workstation in safe mode and run the scanning with antivirus tool. We do not advise you to delete WannaSmile manually, because it has numerous security mechanisms that will counteract you. The very common viral defensive technique is the deletion of files on the chance of file decryption or WannaSmile removal attempt. This is extremely undesirable, and the following paragraph will assist you to avoid it.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After erasing WannaSmile from the laptop, it only remains to recover the polluted data. We won't try to reverse the encryption, but we'll recover them via Windows functionality and the additional programs. There are the few chances, but usually file recovery requires a lot of time and efforts. If you picked the by-hand file recovery - read this entry, which shows all the easiest manners:  article about files decryption.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.