The WannaDie Ransomware is an encryption ransomware Trojan, designed to take victims' files hostage through the use of a strong encryption algorithm. The WannaDie Ransomware encrypts the victims' files and then demands the payment of a ransom in exchange for the decryption key. The WannaDie Ransomware is delivered through corrupted email attachments, commonly including embedded macro scripts that download and install the WannaDie Ransomware onto the victim's computer. While these macros can be used for legitimate purposes, the cybercrooks will take advantage of them to carry out threat attacks like the WannaDie Ransomware on the victim's computers.
How the WannaDie Ransomware can Affect a Computer
The WannaDie Ransomware is being distributed by linking it to WannaCry, a well-known ransomware Trojan that received a large amount of publicity during its initial attacks due to the extent of the damage it caused. The WannaDie Ransomware is designed to target Russian speakers primarily. However, there is nothing to prevent the WannaDie Ransomware from spreading or being used to attack victims in other countries, or that speak other languages. The WannaDie Ransomware was first observed on November 17, 2017. Despite its pretense that it is a variant of the infamous WannaCry, the WannaDie Ransomware is a version of HiddenTear. HidenTear is an open source ransomware platform that has been responsible for countless encryption attacks. HiddenTear variants are quite common and responsible for the bulk of encryption Trojan infections today. The WannaDie Ransomware attacks can be recognized easily because the WannaDie Ransomware will mark all files encrypted by the attack so that the affected files will have the file extension 'wndie,' added to their names.
The WannaDie Ransomware uses a combination of the AES and RSA encryptions to make the victim's files unusable. The WannaDie Ransomware will use its strong encryption method to encrypt the victim's files in its attack, targeting the user-generated files while not touching the Windows system files required for Windows to continue to function (and deliver a ransom note to the victim). The files that may be encrypted in a WannaDie Ransomware attack include:
.1cd, .csv, .dat, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dt, .DT, .dt, .ged, .hbk, .hbk, .htm, .html, .key, .keychain, .md, .pps, .ppt, .pptx, .sdf, .tar, .tax2014, .tax2015, .txt, .vcf, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml.
The WannaDie Ransomware's Ransom Demands
The WannaDie Ransomware delivers its ransom demands in the form of a text document named 'ReadMe.txt,' which the WannaDie Ransomware will drop on the infected computer's desktop. This ransom note contains a message written in Russian. A translation to English of the WannaDie Ransomware's ransom note reads:
'Ooops, your important files are encrypted.
If you read this text, but do not see the window "Wanna die decrypt0r", then your antivirus has removed the decryptor. Disable antivirus software or remove it from your computer.'
More information can be found on the program window generated by the WannaDie Ransomware, which includes the following text:
'Files are encrypted, what should I do?
WHAT HAPPENED WITH MY COMPUTER?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer available, because they have been encrypted. Perhaps you are busy searching for a way to restore your files, but do not waste your time. No one can recover your files without our decryption service.'
The WannaDie Ransomware also delivers its ransom note in a program window that gives the victim 24 hours to pay the ransom amount, which may be hundreds of Rubles to be paid using Bitcoins and delivered to a specific Bitcoin wallet address. Paying the WannaDie Ransomware ransom is never a secure decision. Instead, the WannaDie Ransomware should be removed with the help of a security program that is fully up-to-date. To keep your data safe from attacks like the WannaDie Ransomware, malware researchers advise the use of file backups stored in places that the threat can't reach.