WannaCash Ransomware
WannaCash Ransomware Image
The WannaCash Ransomware is an encryption ransomware Trojan that is used to profit from harassing computer users. The WannaCash Ransomware carries out a typical version of these attacks, taking victims' files hostage and then demanding a ransom payment from the victim in exchange for the decryption key needed to restore the affected files. Usually, threats like the WannaCash Ransomware are delivered using spam email attachments, and the WannaCash Ransomware is not an exception. Victims of the WannaCash Ransomware will receive spam email messages that use social engineering techniques to trick the victim into opening an attached file. These emails will contain a Microsoft Word attachment with embedded macro scripts that download and install the WannaCash Ransomware onto the victim's computer. Once the WannaCash Ransomware is installed, it will carry out its attack, taking the victim's files hostage and demanding a ransom payment.
How the WannaCash Ransomware Attacks Your Computer
Once the WannaCash Ransomware is installed on the victim's computer, it will use the AES 256 encryption to make the victim's files inaccessible. The WannaCash Ransomware targets computers using Russian language settings specifically, and its ransom note and language seem to indicate that it is designed to target Russian speakers exclusively. The WannaCash Ransomware attack is straightforward and something that has been observed countless times before. The WannaCash Ransomware will run as 'lock.exe' on the infected computer. The WannaCash Ransomware will drop two text files on the infected computer, 'key.txt' and 'Расшифровать файлы.txt' (Decrypt files.txt). The WannaCash Ransomware will rename the infected files by adding the string 'encrypted' to the beginning of the file's name and enclosing the rest of the file's name in parenthesis, a marked departure from most ransomware Trojans, which simply add a new file extension to the compromised files.
The WannaCash Ransomware's Ransom Note
The WannaCash Ransomware delivers its ransom note after encrypting the victim's files, which demands a ransom payment from the victim. An approximate translation from Russian into English of the WannaCash Ransomware ransom note reads:
'Activity of [system version] is blocked
Access to the files and system has been blocked. Unlock Windows key and desktop.
All instances of files on the disk with the following extenstions have been encrypted using AES-256 block cipher.
.doc .docx .xls .xlsx .xlst .ppt .pptx .rtf .pub .pps .ppsm .pot .pages .indd .odt .ods .pdf .zip .rar .7z .jpg .png .mp4 .mov .avi .mpeg .flv .psd .psb
The encryption is not final and can be reverted.
Fix:
Restoring, reinstalling Windows will lead to nothing. When you try to remove or disrupt the program, you take the risk of remaining with corrupted files.
------
Files
Yandex wallet [410017171730353] | Amount: 5000
------
We guarantee that you will be able to safely and easily restore all your files, as well as restore the previous state of the system.
1. Transfer the specified amount to the Yandex wallet. Choose cash or bank transfer.
2. After the successful transfer, click on the "I paid" button to check the crediting of funds. If the result is positive, the system will be unlocked automatically.
But we do not have much time. Every 10 minutes, defective files will be irrevocably deleted at random.'
The WannaCash Ransomware's associated ransom payment is 80 USD approximately when converted from Rubles. One aspect of the WannaCash Ransomware that stands out is the use of Yandex for payment, which requires real-world ID, making it possible for the criminals responsible for the WannaCash Ransomware to be identified. Computer users should not pay the WannaCash Ransomware ransom, however. Unfortunately, though, when the WannaCash Ransomware attack is accomplished, the damaged files cannot be recovered without the decryption key. This makes file backups the most effective insurance against ransomware threats since it allows the victims to replace any compromised files.
