WantMoney Ransomware

WantMoney Ransomware Description

Type: Ransomware

The WantMoney Ransomware is an encryption ransomware Trojan that was observed on December 4, 2017. The WantMoney Ransomware may be delivered to victims through the use of spam email messages, which are posed as legitimate messages from well-known companies such as Facebook, Amazon or PayPal. These email messages will contain a corrupted file attachment in the form of a Microsoft Word document with bad macro scripts that download and install the WantMoney Ransomware onto the victim's machine. The WantMoney Ransomware's purpose is to infect the victims' computers and encrypt the victim's data with a strong encryption algorithm. This makes the files inaccessible, enabling the WantMoney Ransomware to demand a ransom payment in exchange for the decryption key that the victims will need to get back their files.

When Someone Wants Other People's Money

The WantMoney Ransomware will use a combination of AES and RSA encryption to make the victim's files completely inaccessible by its attack, making it impossible with current technology to restore files if one does not have the decryption key. The WantMoney Ransomware targets the user-generated files, which may include media files and a wide variety of document formats. The file types of files that attacks like the WantMoney Ransomware will target in their attacks include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The WantMoney Ransomware will rename the files it encrypts, following the pattern below:

[5 random chars]-[5 random chars]-[5 random chars]-[5 random chars].Encrypted[B32588601@163.com].WantMoney2

This makes it uncomplicated to know which files have been encrypted by the WantMoney Ransomware attack.

The WantMoney Ransomware's Ransom Demand

The WantMoney Ransomware will demand a ransom payment, asking victims to communicate with its perpetrators via the email address 'B32588601@163.com' and pay a ransom of 0.1 Bitcoin, nearly 1,000 USD at the current exchange rate. The WantMoney Ransomware delivers its ransom note in the form of a text file named '_Want Money_.txt' that is dropped on the infected computer's desktop. The WantMoney Ransomware also will replace the infected computer's desktop image with the file '_Want Money_.bmp.' Apart from these two, the WantMoney Ransomware also will create a program window named 'Want Money Ransomware.' The WantMoney Ransomware's ransom notes all contain the following message for the victim:

'Can not find the file you need?
Can not open your file?
Do not worry, all your files are only encrypted by "Want Money Ransomware."
Want to retrieve all your files? You only have to pay a small fee
Send 0.1 bitcoins to the following address:
[RANDOM CHARACTERS]
After payment send e-mail to the specified e-mail address
E-mail address: B32588601@163.com
Mail title: Request to decrypt
E-mail content: Your ID + your payment information
After sending you will get a reply, reply to the message contains the Key, please enter in the input box to decrypt the file.
What is Bitcoin? Please go to Baidu or Google search for details
There are more questions? Please contact email: B32588601@163.com
note! Please do not modify the file after the stop, or the file will not be restored, try not to restart the system.'

Affected computer users should ignore the instructions in the WantMoney Ransomware's ransom note and take preemptive measures to ensure that their data is safe.

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.