WantMoney Ransomware Removal Guide

WantMoney Ransomware might be targeted at people from China because a part of its displayed ransom note provides a text in Chinese. Nevertheless, we cannot say users from other countries might not encounter it since the ransom note is written in English too. Either way, we do not recommend concentrating on the hackers’ demands. They may promise to help you decipher data their malicious program encrypted, but as soon as the payment is made such promises could be forgotten. Therefore, instead of risking the asked sum, we would advise users to eliminate the malware. Once the system is clean, encrypted files could be replaced with copies if you have any on removable media devices, cloud storage, or elsewhere. Those who wish to remove WantMoney Ransomware manually should follow the instructions placed below, although if they appear to be too complicated, we would recommend employing a trustworthy security tool.

As usual with threats like WantMoney Ransomware, it could be distributed while using various methods. For example, users might come across its launcher through Spam emails, malicious installers, other infected data, and so on. It is most likely it was some unreliable file you launched the same day the computer got infected. It is difficult to be more precise because the malicious program might work silently in the background and the user could even open more data before the ransom note gets presented. Still, this file should not be forgotten as it could be launched accidentally again. The next time, you come across suspicious data, we would advise you to scan it with a reliable antimalware tool first and only then open it if the chosen tool does not identify any malicious components. As for Spam emails, if you do not think they carry anything important or something you were supposed to receive, it might be best to erase them without opening the attached data.

What happens when WantMoney Ransomware enters the system? Our specialists say it could create data on a few different Startup locations to make the infection launch automatically with each restart. Besides the malicious program might place other files necessary for it to run correctly as well as _Want Money_.bmp and _Want Money_.txt located on %USERPROFILE%\Desktop and %HOMEDRIVE%. The mentioned picture is used to replace user’s Desktop image, and the text document is probably dropped just in case the user deletes the image since it contains the ransom note too. However, both of them are placed only after the malware finished encrypting user’s files and appends a specific second extension at the end of their names (e.g., AETMB-CXQWZ-RTICD-AXQOS.Encrypted[B32588601@163.com].WantMoney1).

The ransom note could say you have to pay 0.1 BTC if you wish to decipher your files. At the moment of writing it is around 1.708 US dollars. Obviously, it is not a sum anyone would easily give up especially when there is a chance it might be lost in vain. Unfortunately, if you decide to deal with WantMoney Ransomware’s developers, you should know there are no reassurances they will deliver what was promised. For this reason, we recommend not to put up with any demands and get rid of the malicious program at once. The instructions you should see a bit below the text can tell you how to erase the threat manually. As for users who prefer automatic features or who find the instructions a bit too complicated, we advise using a trustworthy antimalware tool instead.

Restart your system in Safe Mode with Networking

Windows 8/Windows 10

1. Tap Win+I or go to the Start menu and click the Power button.
2. Tap and hold Shift and click Restart.
3. Select Troubleshoot and choose Advanced Options.
4. Pick Startup Settings and press Restart.
5. Press the F5 key and reboot your system.

Windows XP/Windows Vista/Windows 7

1. Open Start, press Shutdown options and click Restart.
2. Tap and hold the F8 key when your computer is restarting.
3. Wait till you see the Advanced Boot Options window.
4. Choose Safe Mode with Networking.
5. Press Enter and log on to your computer.

Get rid of WantMoney Ransomware

1. Click Win+R.
2. Type Regedit and tap Enter.
3. Search for this path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes
4. Locate the following keys: .WantMoney2, .WantMoney3, .WantMoney4, .WantMoney5, and so on till .WantMoney30.
5. Right-click all of these registry entries one by one and choose Delete.
6. Then go to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
7. Find a value name titled Want Money with a value data containing a path to the malware’s launcher.
8. Memorise or copy the path so you could erase the ransomware’s launcher later on.
9. Right-click value name called Want Money and choose Delete.
10. Leave Registry Editor.
11. Tap Win+E.
12. Navigate to the path you memorised or copied earlier.
13. Search for the malware’s installer, right-click it and select Delete.
14. Locate the given paths one by one:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
15. Find data a file named Want Money.lnk in each location, right-click it and select Delete.
16. Find these paths:
    %USERPROFILE%\Desktop
    %HOMEDRIVE%
17. Erase files named _Want Money_.txt and _Want Money_.bmp.
18. Leave File Explorer.
19. Empty Recycle bin.
20. Reboot the computer.