Threat Database Ransomware WannaPeace Ransomware

WannaPeace Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 10
First Seen: December 1, 2017
Last Seen: April 16, 2021
OS(es) Affected: Windows

The WannaPeace Ransomware is an encryption ransomware Trojan that seems to target computer users in Brazil, as well as other Portuguese speakers. The WannaPeace Ransomware is typically delivered to victims through the use of corrupted spam email attachments, often in the form of corrupted files that take the form of fake invoices or updated terms of service. These email messages will often appear to come from legitimate senders, such as Amazon or PayPal.

How the WannaPeace Ransomware Infects a Computer

The purpose of the WannaPeace Ransomware is to encrypt the victim's files, making them inaccessible to take them hostage. The WannaPeace Ransomware will encrypt a wide variety of user-generated files types, including the files with the following extensions:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The WannaPeace Ransomware seems to have been created independently and does not seem to belong to a larger threat family or developed through an open source ransomware engine of some sort. The WannaPeace Ransomware will add the string '_enc' to the end of each affected file's name, as a way to mark the files encrypted by the WannaPeace Ransomware attack.

The WannaPeace Ransomware's Ransom Note

The WannaPeace Ransomware demands its ransom payment by displaying a program window with the title '@AnonymousBr – WannaPeace' on the infected computer. The WannaPeace Ransomware's ransom note reads as follows:

'Desculpe.., seus arquivos foram encriptados!
Permita nos apresentar como Anonymous, e Anonymous apenas.
Nós somos uma idéia. Uma idéia que não pode ser contida. perseguida nem aprisionada.
Milhares de seres humanos estão nesse momento rufigiadce, feridos, com fome e sofrendo...
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos...
tt40 queremos os seus arquivos ou lhe pre:. _ma pequena contnbuição
Lembre-se.., contnbuindo você não vai estar apenas recuperando os seus arquivos...
...e sim *dando a recuperar a dignidade dessas vitimas...
Envie a sua contribuição de apenas: 0.08 Bitcoins para carteira/endereço abaixo.'

The WannaPeace Ransomware's ransom note's text translated from Portuguese into English reads:

'Sorry, your files have been encrypted!
Please refer to us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained. persecuted or imprisoned.
Thousands of human beings are now killed, wounded, hungry and suffering ...
All as victims of a war that is not even theirs !!!
But unfortunately only words will not change the situation of these human beings ...
[YOUR ACCOUNT NAME] if you want your files back: make a contribution
Remember, by conniving you will not only be recovering your files ...
... and yes * giving to recover the dignity of these victims ...
Please send your contribution of only: 0.08 Bitcoins to wallet:

The WannaPeace Ransomware demands a ransom in Bitcoins that is equivalent to about 800 USD. However, this ransom shouldn't be paid because there may be nothing in return. Instead, the files affected by the attack should be restored from a backup copy. Because of this, having backup copies of your files is the best protection against the WannaPeace Ransomware and similar threats.

SpyHunter Detects & Remove WannaPeace Ransomware

File System Details

WannaPeace Ransomware may create the following file(s):
# File Name MD5 Detections
1. 653bc2b16b1624e045c1225810185e9aa3694dc378fe0095e2052b7f1e265d01 eefa6f98681d78b63f15d7e58934c6cc 4


Most Viewed