Wannasmile Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 418
Category: Trojans

If Wannasmile Ransomware invades your Windows operating system, it quickly encrypts your personal files and attaches the “.WSmile” extension to their names. Also, it creates a file that is set to open on the startup of your operating system. The file is called “How to decrypt files.html,” and you should face it whenever you restart the operating system. The text is represented in Arabic, and since this language is spoken in the Persian Gulf and Northern Africa, many Windows users could encounter it. It is not yet known how this malware spreads, but there are many different security loopholes that cyber crooks can use for that. If the targeted operating system is not protected reliably, and the user is not attentive and careful, it is very easy for malware to slither in. Unfortunately, the malicious ransomware is no ordinary threat, and if it successfully gets in, your personal files are likely to be corrupted permanently. While you can find more information about the threat in this report, it appears that the only thing you will be able to do is to delete Wannasmile Ransomware from your operating system.

The malicious Wannasmile Ransomware is linked to the well-known Wannacry Ransomware. These threats do not operate in the same ways, and they were not created by the same people. The link between these two threats is due to a program called “Wannasmile,” which was created to stop the malicious WannaCry infection. It is unknown why exactly the developer of the devious Wannasmile Ransomware has decided to adopt this name, but it is possible that users could be tricked into letting it in in disguise of the authentic Wannasmile tool. Once the treat enters the operating system, you might find it as “client.exe” on the Desktop; however, we cannot guarantee that this is the name or even the location you will find the malicious launcher in. Once executed, the threat should also drop a file named “WannaSmile.exe” into the %APPDATA% directory. Simultaneously, a shortcut named “WannaSmile.lnk” should be added to the Startup along with the ransom note file, “How to decrypt files.html.” All of these components are malicious, and you want to remove them as soon as possible. Of course, before you initiate the removal of this malware, you are more likely to focus on the demands made via the ransom note.

The ransom note introduced to you via “How to decrypt files.html” informs that a ransom of 20 Bitcoin is expected to be paid. Although you might be convinced that it would become possible to decrypt your files once the ransom was paid, keep in mind that you are dealing with cyber criminals who do not keep their promises at all. On top of that, 20 Bitcoin, at the time of research, equaled nearly 200,000 US Dollars. Considering that this ransom is exceptionally big (for example, infections like Wo Sind Meine Dateien Ransomware, Ender Ransomware, or Hacked Ransomware do not demand ransoms bigger than 1 BTC), it is possible that Wannasmile Ransomware is targeted at bigger companies and organizations. Our research team found that the threat currently targets over 60 different types of files, including .zip, .avi, .pdf, .txt, .jpeg, .doc, or .html, which means that it goes after personal files. This simply proves how important backing up personal data is. If your files were backed up, you could remove Wannasmile Ransomware and the encrypted files, and you would still have access to personal data. Keep this in mind for the future.

As you can see, we have created a guide that shows how to remove Wannasmile Ransomware manually. Although that is an option anyone can try, we have to warn that not all Windows users will have enough experience to succeed on their own. What if you cannot delete the ransomware yourself? If that is the case, you need to find an alternative method of elimination, and we suggest anti-malware software. If this kind of software is already installed on your PC, you need to consider upgrading or replacing it because, clearly, it let at least one infection through. Besides being capable of automatically deleting Wannasmile Ransomware and other active threats, reliable and up-to-date anti-malware software can also strengthen your virtual security in the most effective way. Besides strengthening your system’s protection, you cannot forget to double-protect your files, which you can do by backing them up.

How to delete Wannasmile Ransomware

  1. Launch Task Manager (tap Ctrl+Shift+Esc keys) and click the Processes tab.
  2. Right-click the malicious process (could be named client.exe) and choose Open File Location.
  3. Go back to the malicious process, select it, and click End Process.
  4. Move to the file location (could be named client.exe and could be found in Desktop,  Downloads, and Temp folders), right-click the file, and select Delete.
  5. Tap Win+E keys to launch Windows Explorer.
  6. Enter %APPDATA% into the bar at the top and Delete the file named WannaSmile.exe.
  7. Move to the Startup folder and then Delete the file named WannaSmile.lnk:
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  8. Tap Win+R keys to launch RUN and then enter regedit.exe to access Registry Editor.
  9. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run.
  10. Delete the value named WANNASMILE.
  11. Empty Recycle Bin and then immediately perform a full system scan.
Download Remover for Wannasmile Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Wannasmile Ransomware Screenshots:

Wannasmile Ransomware
Wannasmile Ransomware

Wannasmile Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1WannaSmile.exe801280 bytesMD5: e99cabc8fd754562e48e5d1e89951fb7
2WannaSmile.lnk1850 bytesMD5: fdf959c6aa502b6e4ddd3eb6e96a0bb0
3How to decrypt files.html5689 bytesMD5: 490ca840d39004f8cd5f37391d85c073

Memory Processes Created:

# Process Name Process Filename Main module size
1WannaSmile.exeWannaSmile.exe801280 bytes

Comments are closed.