WannaCash ransomware

WannaCash is a cryptovirus which encodes data and demands to transfer the ransom to Yandex wallet

WannaCash ransomware is the threat that demands money in the message that shows up as a text file.

WannaCash ransomware is the threat that demands money in the message that shows up as a text file.

WannaCash ransomware is the Rusaina-speakers targeting threat that manages to encode files, so the ransom can be demanded from victims. It encrypts files using encryption algorithms and change the desktop wallpaper, changes text file on the desktop. The victimized files are encrypted with AES 256 algorithm and users are demanded to pay 4999 Rubles for the WannaCash decryption software that criminals allegedly have. Additionally, the payment must be transferred to Yandex[1] wallet which is one of the biggest electronic payment platforms in Russia.

However, our security researchers note that there are alternative ways how you can recover files encrypted by WannaCash virus without paying the ransom. The text file как расшифровать файлы.txt contains various scary claims, so it may seem that the best option is paying. However, we cannot stress enough how dangerous can Russian hackers get. Especially, when this threat has already released a few major versions. The most recent one, WANNACASH NCOV ransomware was released into the wild in March 2020, almost two years after the initial release of the original version.

It now uses double the encryption because relies on AES and RSA method mix and delivers the same Как расшифровать файлы.txt file as the money-demanding ransom note. This variant uses the pattern of extensions and renames files with Файл зашифрован. Пиши. Почта [email protected] [number].WANNACASH NCOV v310320 marker, according to the report from virus researcher.[2] Even though, this family uses the Russian language, there is still a possibility that malware occurs on devices in various countries all over the world.

Name WannaCash
Type Ransomware
Cryptography AES 256 and RSA-1024
ransom note как расшифровать файлы.txt – file contains contact information and instructions, scary allegations and encouragement to pay the ransom
File markers  WannaCash compresses files and adds файл зашифрован to their names. These tactics change and malware also adds prefixes, renames files entirely. Some of the marker versions include .wannacash; .punisher; File encrypted [original_name].zip; .happy new year;  Файл зашифрован. Пиши. Почта [email protected][number].WANNACASH NCOV v310320
Amount of the ransom 4999 RUB and the amount may get changed per each victim
Payment platform used Yandex.Money
Targets People located in Russia o Russian-speakers
rELATED FILES lock.exe; keys.exe; key.txt; Decrypt files.txt; chrome.zip;
Distribution Might come hidden inside the malicious attachment via spam emails and get triggered when user enables the macro malware added to the document or executable file, hyperlink included in the notification itself
Elimination You should get rid of WannaCash virus and other similar sophisticated infections with professional tools, like anti-malware programs and security software
repair You can remove WannaCash ransomware damage with PC repair tools like Reimage Reimage Cleaner Intego or optimization software that is designed to keep the system okay

Usually, infections like WannaCash ransomware reach the targeted systems via email. They might come hidden inside the letters as innocent attachments that are hard to identify. Once WannaCash virus settles on the system, it starts encrypting the most widely used files on the computer, including the following ones:

  • .doc; .docx; .xls; .xlsx; .xlst; .ppt; .pptx; .rtf; .pub; .pps; .ppsm; .pot; .pages;
  • .indd; .odt; .ods; .pdf; .zip; .rar; .7z; .jpg; .png;
  • .mp4; .mov; .avi; .mpeg; .flv; .psd; .psb;

The ransom note by WannaCash virus is dropped after a successful data encryption[3]. People are asked to pay 4999 RUB for WannaCash decryption software. Additionally, they are urged to do so as the criminals claim that there is not much time left. Otherwise, random data will be deleted after every 10 minutes. However, people should not fall for these deceptive promises.  WannaCash ransomware illustration
WannaCash is a file-encrypting virus which encrypts data with AES 256 cipher and demands to transfer 4999 RUB to Yandex wallet.

WannaCash ransomware illustration
WannaCash is a file-encrypting virus which encrypts data with AES 256 cipher and demands to transfer 4999 RUB to Yandex wallet.

Ransomware posts various messages on the machine and drops text files, images, HTML data. All of them either contain information about file types that get encoded or the brief message and contact emails listed. One of the message versions that text files can include(translated): 

All files of the following extensions were encrypted:
.doc .docx .xls .xlsx .xlst .ppt .pptx .accdb .rtf .pub .epub .pps .ppsm .pot .pages .odf .odt .ods .pdf. djvu .html .txt .tib .iso .dat .zip .rar .7z .gzip .gz .jpg .png .mp4 .mov .avi .mpeg .flv .gif .psd .psb .veg
——- ————————————————– ————
We guarantee that you can safely and easily recover all your files.
Contact us.
mail:              [email protected]
spare mail:    [email protected] (use only if the first does not respond within 24 hours)
Indicate your identifier in the letter
————————————————– ——————-
Your identifier: D061-7E **
———————– ———————————————-
* Do not rename encrypted files.
* Do not try to decrypt your data using third-party programs, this can lead to permanent data loss.

WannaCash ransomware similar to other cyber threats is designed to generate illegal profits. People are tricked to obey the rules of the attackers which might lead to financial losses rather than effective WannaCash decryptor. Thus, our experts do not recommend you to agree to pay the ransom.

Instead, you should remove WannaCash ransomware from your system to avoid further damage. For that, only professional tools can help you as there are numerous components related to this virus that can be hidden inside your PC. You must get rid of them all if you want to protect your computer successfully. Get Reimage Reimage Cleaner Intego for any file recovery needed in the system folders.

You need to rely on professional tools to avoid any additional damage, so get an anti-malware tool for cryptovirus termination. After the antivirus programs complete WannaCash ransomware removal, you will be able to start thinking about data recovery. We have prepared multiple methods that can help you retrieve all or even individual files encrypted by WannaCash ransomware. The list of effective data recovery tools is presented at the end of this article.  WannaCash ransomware image
WannaCash is a ransomware-type infection which targets Russian-speaking computer users.

WannaCash ransomware image
WannaCash is a ransomware-type infection which targets Russian-speaking computer users.

WannaCash ransomware virus comes back in 2020

WANNACASH NCOV ransomware virus came out in March 2020, when the world was paralyzed and in lockdown due to the Coronavirus pandemic, but many people try to take advantage of such a situation, especially malicious actors. This is not the first version after the initial WannaCash, but other variants only carried the initial code and were released back in 2018, mainly.

Throughout those years ransom note evolved to a normal text file with a message about encryption, but all the other features remained the same. What comes different with WANNACASH NCOV ransomware?

First, WANNACASH NCOV ransomware adds a lengthy file marker to encrypted files and runs destructive processes in the background to avoid detections and quick virus removal. As for encryption, it is still the main purpose of the virus, but this particular version relies on AES and RSA encryption algorithm mix that ensures complete changes in the original coding of your common files. 

However, all these changes affect the WANNACASH NCOV ransomware removal as well. As always, ransomware creators prefer emails for contacting them, but writing via [email protected], [email protected] is never recommended. There are too many incidents when paying victims are left with unrecovered and damaged files. You better remove malware with AV tools.[4]  WANNACASH NCOV ransomware


The ransom note that is the most recent that WANNACASH NCOV ransomware victims received in the Как расшифровать файлы.txt file(original language):

Все значимые файлы на ВАШЕМ компьютере были заархивированы и зашифрованы при использованием AES-256-CBC + RSA 1024bit шифрования.
Я гарантирую, что ВЫ сможете безопасно и легко восстановить все свои файлы.
Чтобы подтвердить мои честные намерения, отправьте мне на почту 2 любых файла, и ВЫ получите их расшифровку.
почта: [email protected]
резеврная почта: [email protected] – Если не отвечаю в течении суток, пишите на резервную почту.
не забывайте проверять папку спам !
У ВАС есть ровно 7 дней на связь со мной. 09.04.2020 числа в расшифровке ВАМ будет отказано,а ВАШ  ключ дешифровки в автоматическом порядке удален. Я предупредил.
* Не пытайтесь расшифровать ваши данные с помощью сторонних программ, это может привести к повреждению или другим неприятным для ВАС последствиям.
* Крайне не рекомендую обращаться за помощью на форумы антивирусных компаний. Только лишь потеряете время на ожидание отрицательного ответа.
66,01 сек.

Spam email attachments might hide the payload of ransomware

Even though the inbox might seem like a safe place, criminals distribute infected emails to spread cyber threats. Usually, the malware comes as an attachment which might mimic innocent documents, such as invoices or shopping receipts. Users who fail to identify an infection and open the attachment infiltrate a file-encrypting virus on their systems. 

Likewise, it is vital to monitor your inbox. Always be cautious that cybercriminals disguise as well-known companies or brands to trick novice PC users. Never open any suspicious attachments and if you have any doubts about the legitimacy of the letter, contact the company directly and ask for confirmation. 

Look out for any red flags and make sure to delete any emails that:

  • state about financial information;
  • include files attached or hyperlinks in the notification itself;
  • are send from unknown senders;
  • contains grammar mistakes or typos;
  • ask for additional content agreements or offers to enable macros.

Terminating WannaCash ransomware virus safely

Virusi.bg[5] team warns that since ransomware-type infections are highly advanced, they are programmed to stay persistent. It is not only hard to remove WannaCash ransomware by yourself but also might be dangerous. You can either damage your system or the malware might reappear in the future. 

Thus, the only the automatic WannaCash ransomware removal process is safe. For that, you should install reliable security tools, such as SpyHunter 5Combo Cleaner, or Malwarebytes. They will help you detect and uninstall all ransomware-related components and clean the system from other cyber threats. 

For any damage caused by WannaCash ransomware virus in system folders or alterations made to your programs and OS functions, rely on Reimage Reimage Cleaner Intego because such PC repair tools can check and even fix corrupted files or affected data on the computer. This is the program that helps to improve the performance of the affected machine. Then you can go further and focus on data recovery options. Some of them are listed below.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-04-03 at 09:01 and is filed under Ransomware, Viruses.