WannaCryptor or WanaCrypt0r Ransomware

WannaCryptor or WanaCrypt0r Ransomware Description

WannaCryptor Ransomware Image 1The WanaCrypt0r Ransomware is an encryption Trojan that features a worm-like attack tactic. The WanaCrypt0r Ransomware is recognized as one of the most threatening and widespread encryption Trojans up until May 12th, 2017. The WanaCrypt0r Ransomware managed to compromise more than hundreds of thousand systems across one hundred and forty countries on its first release to the real world. The brunt of the attack was taken by PC users in Russia and the National Healthcare System in Great Britain. The Trojan managed to block access to most of the computers connected to the National Healthcare System and nearly 70% of the cases that involve the WanaCrypt0r Ransomware are recorded in Russia. The WanaCrypt0r Ransomware is a standalone ransomware Trojan, which managed to infect vulnerable machines that run the Windows XP and the Windows Server 2003. The countries that suffered the most damages are the Russian Federation, Ukraine, India, Great Britain and Taiwan.

Who is Behind the Attack with the WanaCrypt0r Ransomware?

The malware authors behind WanaCrypt0r Ransomware took advantage of a vulnerability that was discovered by the NSA and published for sale by a group of hackers known as 'The Shadow Brokers.' The team wanted to sell a set of tools misappropriated from the NSA but nobody wanted to buy their "products, " and the group uploaded all available resources to the Internet. Evidently, the creators of the WanaCrypt0r found a vulnerability with the code CVE-2017-0145 a.k.a. 'EternalBlue,' which allows a programmer to send a data package crafted specially to an SMB server and execute a corrupted code on the receiver end. The attackers managed to install the 'DoublePulsar' Backdoor Trojan, which allowed them to introduce the WanaCrypt0r Ransomware to the compromised machine and other computers that were connected to it.

Is the WanaCrypt0r Ransomware a Persistent Threat?

PC security researchers reported that the authors of the WanaCrypt0r Ransomware had released three versions, one after the other. Most encryption Trojans are not updated the same week as they are released, but WanaCrypt0r proves that a determined team of hackers can distribute updates and patches comparatively fast. We have seen the Trojan use the names WannaCry, WanaCrypt0r, WCrypt and WCRY. The WanaCrypt0r Ransomware behaves like the infamous Cerber 6 Ransomware and scans the local data storage units for available files. The WanaCrypt0r Ransomware proceeds to connect to a 'Command and Control' server to report the infiltration and download a set of a private encryption key and a public decryption key. The threat is designed to use a customized AES-256 cipher to corrupt text, images, audio, video, presentations, spreadsheets and databases stored on the compromised device. Enciphered objects may feature the following extensions:

  • .WNCRY
  • .WRCY

For example, 'The impact of street lighting on months and disruption of nocturnal pollen transport.pptx' may be renamed to 'The impact of street lighting on months and disruption of nocturnal pollen transport.pptx.WNCRYPT.' The encryption may take a few hours on the computers that are used for data storage and thanks to its distribution mechanism the WanaCrypt0r Ransomware might corrupt backups as well. You should note that the WanaCrypt0r Ransomware can terminate the processes of database managers like MySQL, Microsoft Exchange Server and OracleDB. The ransom note is presented in three forms—a TXT file named '@Please_Read_Me@.txt,' a desktop wallpaper named '@WanaDecryptor@.bmp,' and a program window titled 'Wana Decrypt0r 2.0'. The desktop wallpaper offers a brief explanation on why you can't load data on the device and reads:

'Ooops, your important files are encrypted.
If you see this text, but don't see the "Wana DecryptOr" window, then your antivirus removed the decrypt software or you deleted it from your computer.
If you need your files you have to run the decrypt software.
Please find an application file named "@WanaDecryptor@.exe" in any folder or restore from the antivirus quarantine.
Run and follow the instructions!

You Might Have a Way to Avoid Paying

The program window 'Wana Decrypt0r 2.0' offers a countdown timer and urges the user to pay 300 USD via the Bitcoin digital currency to acquire the correct decryption key and initiate the decryption process. As of writing this, there are a little more than one hundred payments made to the wallet address associated with the WanaCrypt0r Ransomware. Given the scale of the attack, there may be more users that are willing to pay since the WanaCrypt0r Ransomware may have deleted backups as well. However, the threat cannot corrupt and erase files that are stored on unmapped memory devices, and you should be able to use offsite backups to rebuild your data structure. Experts recommend regular PC users and companies invest in an offline and cloud-based backup storage for maximum protection against modern-day encryption Trojans. You should take into consideration that the WanaCrypt0r Ransomware is reported to target 166 types of files that include:

.123, .3dm, .3ds, .3g2, .3gp, .602, .accdb, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .backup, .bak, .bat, .bmp, .brd, .bz2, .cgm, .class, .cmd, .cpp, .crt, .csr, .csv, .dbf, .dch,.der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .iso, .jar, .java, .jpeg, .jpg, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .PAQ, .pas, .pdf, .pem, .pfx, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps1, .psd, .pst, .rar, .raw, .rtf, .sch, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip.

Infected with WannaCryptor or WanaCrypt0r Ransomware? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect WannaCryptor or WanaCrypt0r Ransomware
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer


  • dokido:

    isnt it maybe possible to attack that ransom note where u put key with brute-force so u get acces free? thats just my idea tho :/

  • yassibe:

    The WannaCryptor Ransomware is a ransomware Trojan that represents a real threat to the computer users’ data. Malware analysts believe that the WannaCryptor Ransomware belongs to a large family of ransomware Trojans known as ‘wcry.’ The WannaCryptor Ransomware is designed to encrypt the victims’ files using a strong encryption method. Then, after the victim’s files have become unusable, the WannaCryptor Ransomware delivers a ransom note demanding payment from the victim to get the decryption key. Malware researchers advise against paying the WannaCryptor Ransomware ransom.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 14 + 5 ?