WannaPeace Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 10 |
| First Seen: | December 1, 2017 |
| Last Seen: | April 16, 2021 |
| OS(es) Affected: | Windows |
The WannaPeace Ransomware is an encryption ransomware Trojan that seems to target computer users in Brazil, as well as other Portuguese speakers. The WannaPeace Ransomware is typically delivered to victims through the use of corrupted spam email attachments, often in the form of corrupted files that take the form of fake invoices or updated terms of service. These email messages will often appear to come from legitimate senders, such as Amazon or PayPal.
Table of Contents
How the WannaPeace Ransomware Infects a Computer
The purpose of the WannaPeace Ransomware is to encrypt the victim's files, making them inaccessible to take them hostage. The WannaPeace Ransomware will encrypt a wide variety of user-generated files types, including the files with the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The WannaPeace Ransomware seems to have been created independently and does not seem to belong to a larger threat family or developed through an open source ransomware engine of some sort. The WannaPeace Ransomware will add the string '_enc' to the end of each affected file's name, as a way to mark the files encrypted by the WannaPeace Ransomware attack.
The WannaPeace Ransomware’s Ransom Note
The WannaPeace Ransomware demands its ransom payment by displaying a program window with the title '@AnonymousBr – WannaPeace' on the infected computer. The WannaPeace Ransomware's ransom note reads as follows:
'Desculpe.., seus arquivos foram encriptados!
Permita nos apresentar como Anonymous, e Anonymous apenas.
Nós somos uma idéia. Uma idéia que não pode ser contida. perseguida nem aprisionada.
Milhares de seres humanos estão nesse momento rufigiadce, feridos, com fome e sofrendo...
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos...
tt40 queremos os seus arquivos ou lhe pre:. _ma pequena contnbuição
Lembre-se.., contnbuindo você não vai estar apenas recuperando os seus arquivos...
...e sim *dando a recuperar a dignidade dessas vitimas...
Envie a sua contribuição de apenas: 0.08 Bitcoins para carteira/endereço abaixo.'
The WannaPeace Ransomware's ransom note's text translated from Portuguese into English reads:
'Sorry, your files have been encrypted!
Please refer to us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained. persecuted or imprisoned.
Thousands of human beings are now killed, wounded, hungry and suffering ...
All as victims of a war that is not even theirs !!!
But unfortunately only words will not change the situation of these human beings ...
[YOUR ACCOUNT NAME] if you want your files back: make a contribution
Remember, by conniving you will not only be recovering your files ...
... and yes * giving to recover the dignity of these victims ...
Please send your contribution of only: 0.08 Bitcoins to wallet:
[RANDOM CHARCTERS]'
The WannaPeace Ransomware demands a ransom in Bitcoins that is equivalent to about 800 USD. However, this ransom shouldn't be paid because there may be nothing in return. Instead, the files affected by the attack should be restored from a backup copy. Because of this, having backup copies of your files is the best protection against the WannaPeace Ransomware and similar threats.
SpyHunter Detects & Remove WannaPeace Ransomware
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | 653bc2b16b1624e045c1225810185e9aa3694dc378fe0095e2052b7f1e265d01 | eefa6f98681d78b63f15d7e58934c6cc | 4 |
