WannaSmile Ransomware

WannaSmile Ransomware Description

Type: Trojan

The WannaSmile Ransomware is an encryption ransomware Trojan that was first observed on November 16, 2017. The WannaSmile Ransomware is a variant of zCrypt and looks like to be targeted towards computer users in Farsi speaking regions. Variants of the WannaSmile Ransomware have been traced back to June 2016, and the WannaSmile Ransomware is just the latest in a family of threats that has been used to target computer users. The WannaSmile Ransomware is being delivered to victims through the use of spam email messages that include corrupted email attachments or embedded links. When the victim opens the attached or embedded content, the WannaSmile Ransomware is downloaded and installed on the victim's computer.

The Smile that will Never Appear on Affected Computer Users

The WannaSmile Ransomware, like most ransomware Trojans, is designed to encrypt the victim's files using a strong encryption method. This essentially allows the WannaSmile Ransomware to take the victim's files hostage. The victim then is forced to pay a large ransom in exchange for the decryption key needed to restore the affected files. The files encrypted by the WannaSmile Ransomware attack are marked with the file extension '.Wsmile.' The WannaSmile Ransomware's name seems to be a reference to the WannaCry Ransomware Trojan, which received quite a bit of attention due to the high number of victims of this attack. However, there is no connection between the WannaSmile Ransomware and WannaCry.

The WannaSmile Ransomware's Ransom Demand

The WannaSmile Ransomware delivers its ransom note after encrypting the victim's files. To do this, the WannaSmile Ransomware will change the infected computer's desktop image into a black screen with a text written in Farsi. The WannaSmile Ransomware also will deliver a file named 'How to decrypt files.html' to the infected computer's desktop. The full text of the WannaSmile Ransomware's ransom notes and messages in the original Farsi reads:

سیستم شما به ویروس و باج افزارWannaSmile آلوده شده است؛ تمامی فایل های مهم شما از جمله دیتابیس ها
فایل های بک آپ و ... توسط الگوریتم های پیچیده رمزنگاری شده است؛
بنابراین شما امکان دسترسی به فایل ها را نخواهید داشت زیرا الگوریتم رمزنگاری مورد نظر تنها توسط ما قابل رمزگشایی
درصورتیکه طی مدت حداکثر 5 روز پس از آلوده شدن مبلغ مورد نظر به حساب بیت کوین ما واریز نشود، روزانه مبلغ 1 بیت کوین به مبلغ اصلی (20 بیت کوین) اضافه میگردد.
تو ی باشد. شما می بایست برای رمزگشایی فایلهای خود مبلغ 20 بیت کوین را به آدرس زیر ارسال کنید:
و به محض پرداخت موفقیت آ 05;یز بیت کوین حتما از طریق ایمیل wannasmile@tuta.io به ما اعلام کنید تا یک فایل برای شما ارسال گردد که توسط آن می توانید کل فایل ها و سیستم های آلوده را به حالت اولیه باز گردانید.
جهت خرید بیت کوین می توانید از طریق یکی از صرافی های زیر اقدام نمایید
www.exchanging ir

The WannaSmile Ransomware ransom note translated into English reads:

Your system is infected with tactic WannaSmile Ransomware virus, all your important files, including databases and backups, are encrypted with complex encryption algorithms, so you will not be able to access files, only we can decrypt.
In the event that we do not receive a fee for our bitcoin-purse a maximum of 5 days after infection, then 1 bitcoin will be added daily to the original amount (20 bitcoins).
You must pay an amount of 20 bitcoins to decrypt your files at the following address:
And once you pay, do not forget to send us an email to wannasmile@tuta.io so we can send you a file from which you can restore all the files and infected systems to their original state.
You can buy bitcoins on one of the following currency exchangers:
[links to Bitcoin markets]'

The WannaSmile Ransomware demands a staggering amount, 20 Bitcoins, which is nearly 200,000 USD at the current exchange rate. Computer users are counseled to disregard the WannaSmile Ransomware ransom message and take precautions to ensure that their data is safe from the WannaSmile Ransomware and other encryption ransomware Trojans.

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.