WanaCrypt0r Ransomware Removal Guide

If you not only heard about WanaCrypt0r Ransomware but also encountered it as well, we advise you to review the rest of our report and learn more details about this vicious threat. It managed to infect numerous computers all over the world in a rather short time; the researchers say the malicious program was noticed in more than 150 countries. Same as other ransomware applications it damages user’s data by encrypting it and demands to pay a ransom. Currently, there is still no way to decipher WanaCrypt0r Ransomware, but hopefully, with time volunteer IT specialists will find a way to develop a free decryption tool. Paying the ransom might seem like the easiest way to get your files back and get rid of the malware; however, we urge you to consider this option carefully, because despite what the threat’s ransom note says there are no guarantees you will be able to decrypt any files. Consequently, we recommend removing the infection.

The reports say WanaCrypt0r Ransomware is not just a file-encrypting application since it is a worm too. It was spread while exploiting particular vulnerabilities in the Windows operating system. It would seem the weak point could be found both in older and newer Windows versions. This is why Microsoft released updates even for operating systems that are not being uploaded anymore. Users were urged to get these latest security updates to secure the system and avoid the malware.

If you have not updated your system still, we would advise you to do it as fast as possible. Even though the reports say the worm is no longer distributed, cyber criminals can come up with other malicious applications, so it would be unwise to leave the computer unprotected. Plus, to keep the computer protected, it is advisable to not only update the system or other outdated software but also acquire a trustworthy security tool that could help with the task. Obviously, such a tool should always be up to date as well so it could recognize newer threats.

Apparently, when WanaCrypt0r Ransomware enters the system it might create a malicious executable file named tasksche.exe. The suspicious file should be placed in C:\Windows and in a randomly titled folder (e.g. cyyrgpdxins781) located in the C:\ProgramData directory. Afterward, the malware should start encrypting various personal files like pictures, photos, text documents, archives, and so on. It would seem the infection has a list of targeted extensions. To give you an example, the threat could encrypt files with .wav, .swf, .fla, .wmv, .mpg, .vob, .avi, .mpeg, .asf, .mov, .mkv, .flv, .wma, .mid, .djvu, .psd, .svg, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, and many other extensions. The enciphered files should be marked either with the .WNCRYT or .WNCRY extension.

Each directory containing damaged data should have an executable file called @WanaDecryptor@.exe. Our researchers say, opening it should launch WanaCrypt0r Ransomware’s window. The pop-up message is the infection’s ransom note as it contains explanations, demands, and instructions on how to make the payment. In this message, the malware’s creators answer the question if the user can recover his data by saying: “Sure. We guarantee that you can recover all your files safely and easily.” Needless to say, no matter how reassuring they sound no one can actually guarantee the decryptor will be working after you pay the ransom. Thus, we advise you not to risk your money and find another way to recover the encrypted files, e.g. backup copies on removable media devices, recovery tools, etc. Of course, for safety reasons, it is most advisable to get rid of the worm first.

As you can see we added our recommended deletion steps below the text, although we would advise using reliable antimalware software more, especially if you are not so experienced in removing such malicious programs like WanaCrypt0r Ransomware. Nonetheless, if you feel you can manage you could try erasing the worm manually by following the provided instructions. Lastly, if you need any further assistance or have any questions related to the infection, feel free to add a comment below the text or reach us via social media.

Restart your system in Safe Mode with Networking

Windows 8/Windows 10

1. Press Windows Key+I and select the Power button.
2. Click and hold the Shift key as you press Restart.
3. Select Troubleshoot and pick Advanced Options.
4. Choose Startup Settings and press Restart.
5. Click the F5 key and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Go to Start, press Shutdown options and select Restart.
2. Press and hold the F8 key when your computer is restarting.
3. Select Safe Mode with Networking from Advanced Boot Options window.
4. Press Enter and log on to the computer.

Eliminate WanaCrypt0r Ransomware

1. Open the Explorer (Windows key+E).
2. Navigate to the Temporary Files, Downloads, and Desktop directories.
3. Search for a suspicious file that was downloaded and launched before the system got infected.
4. Right-click this malicious file and select Delete.
5. Go to: C:\Windows
6. Locate a file titled as tasksche.exe, right-click it and press Delete.
7. Then look for this path: C:\ProgramData
8. Search for a randomly named folder containing the tasksche.exe file.
9. Right-click this malicious folder and select Delete.
10. Remove all @WanaDecryptor@.exe files and @Please_Read_Me@.txt ransom notes.
11. Leave the Explorer.
12. Empty Recycle Bin and reboot the computer.