WannaSmile Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 13,475 |
Threat Level: | 80 % (High) |
Infected Computers: | 146 |
First Seen: | September 29, 2021 |
Last Seen: | September 19, 2023 |
OS(es) Affected: | Windows |
The WannaSmile Ransomware is an encryption ransomware Trojan that was first observed on November 16, 2017. The WannaSmile Ransomware is a variant of zCrypt and looks like to be targeted towards computer users in Farsi speaking regions. Variants of the WannaSmile Ransomware have been traced back to June 2016, and the WannaSmile Ransomware is just the latest in a family of threats that has been used to target computer users. The WannaSmile Ransomware is being delivered to victims through the use of spam email messages that include corrupted email attachments or embedded links. When the victim opens the attached or embedded content, the WannaSmile Ransomware is downloaded and installed on the victim's computer.
The Smile that will Never Appear on Affected Computer Users
The WannaSmile Ransomware, like most ransomware Trojans, is designed to encrypt the victim's files using a strong encryption method. This essentially allows the WannaSmile Ransomware to take the victim's files hostage. The victim then is forced to pay a large ransom in exchange for the decryption key needed to restore the affected files. The files encrypted by the WannaSmile Ransomware attack are marked with the file extension '.Wsmile.' The WannaSmile Ransomware's name seems to be a reference to the WannaCry Ransomware Trojan, which received quite a bit of attention due to the high number of victims of this attack. However, there is no connection between the WannaSmile Ransomware and WannaCry.
The WannaSmile Ransomware's Ransom Demand
The WannaSmile Ransomware delivers its ransom note after encrypting the victim's files. To do this, the WannaSmile Ransomware will change the infected computer's desktop image into a black screen with a text written in Farsi. The WannaSmile Ransomware also will deliver a file named 'How to decrypt files.html' to the infected computer's desktop. The full text of the WannaSmile Ransomware's ransom notes and messages in the original Farsi reads:
'WARNING!
سیستم شما به ویروس و باج افزارWannaSmile آلوده شده است؛ تمامی فایل های مهم شما از جمله دیتابیس ها
فایل های بک آپ و ... توسط الگوریتم های پیچیده رمزنگاری شده است؛
بنابراین شما امکان دسترسی به فایل ها را نخواهید داشت زیرا الگوریتم رمزنگاری مورد نظر تنها توسط ما قابل رمزگشایی
درصورتیکه طی مدت حداکثر 5 روز پس از آلوده شدن مبلغ مورد نظر به حساب بیت کوین ما واریز نشود، روزانه مبلغ 1 بیت کوین به مبلغ اصلی (20 بیت کوین) اضافه میگردد.
تو ی باشد. شما می بایست برای رمزگشایی فایلهای خود مبلغ 20 بیت کوین را به آدرس زیر ارسال کنید:
1KvmWVRxqw8HeFpR2tHBaoTJiTczU7PRzw
و به محض پرداخت موفقیت آ 05;یز بیت کوین حتما از طریق ایمیل wannasmile@tuta.io به ما اعلام کنید تا یک فایل برای شما ارسال گردد که توسط آن می توانید کل فایل ها و سیستم های آلوده را به حالت اولیه باز گردانید.
جهت خرید بیت کوین می توانید از طریق یکی از صرافی های زیر اقدام نمایید
www.exchanging ir
www.payment24.ir
www.farhadexchange.net
www.digiarz.com'
The WannaSmile Ransomware ransom note translated into English reads:
'WARNING!
Your system is infected with tactic WannaSmile Ransomware virus, all your important files, including databases and backups, are encrypted with complex encryption algorithms, so you will not be able to access files, only we can decrypt.
In the event that we do not receive a fee for our bitcoin-purse a maximum of 5 days after infection, then 1 bitcoin will be added daily to the original amount (20 bitcoins).
You must pay an amount of 20 bitcoins to decrypt your files at the following address:
[RANDOM CHARCTERS]
And once you pay, do not forget to send us an email to wannasmile@tuta.io so we can send you a file from which you can restore all the files and infected systems to their original state.
You can buy bitcoins on one of the following currency exchangers:
[links to Bitcoin markets]'
The WannaSmile Ransomware demands a staggering amount, 20 Bitcoins, which is nearly 200,000 USD at the current exchange rate. Computer users are counseled to disregard the WannaSmile Ransomware ransom message and take precautions to ensure that their data is safe from the WannaSmile Ransomware and other encryption ransomware Trojans.