If you see a window whose first sentence is “Desculpe.., seus arquivos foram encriptados!,” you must have Wannapeace Ransomware active on your computer. The chances are high that you have allowed it to slither onto your computer by opening an attachment from a malicious email. If it has infiltrated your computer in a different way, it will still go to encrypt files on your computer right away. According to researchers at 411-spyware.com, Wannapeace Ransomware is still in development because it encrypted files in the testes folder located in C:\ only, but it does not mean that you will necessarily encounter the same version too. You are lucky if you have not found any of your files locked after encountering this threat, but you need to eliminate it from your computer as soon as possible in this case as well. If you leave components belonging to this threat on your system, you might accidentally launch this infection again. As a consequence, your all new files will be encrypted again. We are sure you do not want this to happen, so we highly recommend that you delete Wannapeace Ransomware from your system today.
Many users do not know anything about the entrance of Wannapeace Ransomware until they find a window opened on Desktop. This window contains a message for users in Portuguese, which shows that the main target of this malicious application is Portuguese-speaking users. If you do not know a single word in this language, it does not mean that you are safe. You might encounter this malicious application if you are not careful. Since Wannapeace Ransomware encrypts files in only one folder (C:\testes), you might still be able to access all your files after its infiltration, but you will definitely notice a window opened on your Desktop. It will tell you that your files have been encrypted for a good cause. That is, cyber criminals claim that they are collecting money to help “injured, hungry, and suffering.” We are sure it is a pure lie, so do not even consider making a payment. By sending the ransom (0.08 Bitcoin), you will encourage malicious software developers to continue doing their job, i.e. developing new harmful malicious applications. On top of that, we are 99% sure that none of your files have been encrypted, so we see no reason why you should spend your money on the decryption of files. We want to emphasize that you still need to delete the ransomware infection from your computer in this case.
If you see _enc. placed between names of your files and their original extensions, e.g. file_enc.jpg, Wannapeace Ransomware must be active on your computer. It is very likely that you have it because you have opened a malicious attachment. Theoretically, some users could have downloaded it from hacked websites too. When the ransomware infection is executed, a window claiming that Adobe Reader XI is loading is immediately displayed to victims. Then, the window with the ransom note is opened. Most probably, this window is opened on users’ screens so that the ransomware infection could encrypt files on compromised machines without interruption. This also explains why so many users do not know anything about the installation of this harmful malicious application. There are so many other threats that can enter your system without your knowledge spreading through the web, so you should not leave your PC unprotected. Our security specialists recommend that you enable security software on the system immediately after the full ransomware removal.
You must fully delete Wannapeace Ransomware from your computer so that this threat would not launch again. You just need to delete drivers.txt, a file it drops in %PROGRAMFILES%, and all recently downloaded files. You should be able to find them in %USERPROFILE%\Downloads and/or %USERPROFILE%\Desktop. Before you take action, you will need to close the window with the ransom note opened by the ransomware infection so that you could access Desktop. Do not forget that you can erase malware from your PC automatically as well, so if you do not feel experienced enough to erase it in a manual way, you should acquire a reputable antimalware tool and perform a system scan with it. If you have discovered encrypted files on your PC after the Wannapeace Ransomware entrance, they will, sadly, stay locked even if you disable the ransomware infection.
WannaPeace Ransomware seems to be targeted at users from Portugal since the malicious program’s dropped ransom note is written in Portuguese. The text’s authors claim they do not want to harm their victim’s computers or files on them. Apparently, what they want is just a small contribution to help people who suffer. Needless to say, this could be just a tactic to convince users to pay, and the money these hackers receive might be spent for no one else but themselves. Not to mention, the small contribution they ask for is not so little after all. The malware’s creators demand 0.08 BTC and at the moment of writing it is a bit more than 1.300 US dollars. If you do not think you can risk such an amount of money we advise you not to put up with any demands. Instead of paying the ransom you could eliminate WannaPeace Ransomware with the instructions available below or a reliable antimalware tool. The infection’s removal will not recover its encrypted files, but it will clean the computer.
To begin with, we are not entirely sure the malware is even being distributed yet as so far we came across only test versions that did not work correctly. Nonetheless, given the malicious program could be completed at any time we believe it is important to be aware of it. First of all, users should know it might be spread via fake PDF files since after launching WannaPeace Ransomware's sample it made it look like it is launching Adobe Reader. However, at the same time, the threat should be locating and encrypting user’s personal data. Our sample locked only the data that was in the C:\testes folder, but if it gets updated it could look for targeted files on folders every computer has (e.g., %USERPROFILE%), on separate drives, and so on.
Soon after encrypting the victim’s files, WannaPeace Ransomware should open a window with a ransom note. As said previously, the text might be written just in Portuguese. Also, in the ransom note, we saw the hackers called themselves “Anonymous” and asked to contribute and help thousands of war victims who suffer hunger, injuries, and so on. In exchange, the malware’s creators claim the user would get his data decrypted. What’s more, besides the mentioned window, the malicious program could drop a text document called drivers.txt in the %PROGRAMFILES% directory. It contains an “advice” that says if the user deletes WannaPeace Ransomware he will lose his data forever.
At this point it is important to say, some infections only threaten to delete files, but in reality, do not. It might be done just to make the user panic. Plus, if you are not going to pay the ransom the encrypted files might be lost forever in any case. Sadly, they cannot be unlocked without decryption tools; although if you have copies of them somewhere safe (e.g., on a removable hard drive), you can get your data back. Just first you should clean the system for safety reasons. One of the ways to eliminate WannaPeace Ransomware is to erase data belonging to it, and our recommended steps located a bit below are here to help you with this task. On the other hand, if you are willing to install a reliable security tool you could perform a full system scan and remove the malicious program by just clicking the provided deletion button.