WantMoney Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | December 5, 2017 |
| Last Seen: | August 13, 2018 |
| OS(es) Affected: | Windows |
The WantMoney Ransomware is an encryption ransomware Trojan that was observed on December 4, 2017. The WantMoney Ransomware may be delivered to victims through the use of spam email messages, which are posed as legitimate messages from well-known companies such as Facebook, Amazon or PayPal. These email messages will contain a corrupted file attachment in the form of a Microsoft Word document with bad macro scripts that download and install the WantMoney Ransomware onto the victim's machine. The WantMoney Ransomware's purpose is to infect the victims' computers and encrypt the victim's data with a strong encryption algorithm. This makes the files inaccessible, enabling the WantMoney Ransomware to demand a ransom payment in exchange for the decryption key that the victims will need to get back their files.
When Someone Wants Other People's Money
The WantMoney Ransomware will use a combination of AES and RSA encryption to make the victim's files completely inaccessible by its attack, making it impossible with current technology to restore files if one does not have the decryption key. The WantMoney Ransomware targets the user-generated files, which may include media files and a wide variety of document formats. The file types of files that attacks like the WantMoney Ransomware will target in their attacks include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The WantMoney Ransomware will rename the files it encrypts, following the pattern below:
[5 random chars]-[5 random chars]-[5 random chars]-[5 random chars].Encrypted[B32588601@163.com].WantMoney2
This makes it uncomplicated to know which files have been encrypted by the WantMoney Ransomware attack.
The WantMoney Ransomware's Ransom Demand
The WantMoney Ransomware will demand a ransom payment, asking victims to communicate with its perpetrators via the email address 'B32588601@163.com' and pay a ransom of 0.1 Bitcoin, nearly 1,000 USD at the current exchange rate. The WantMoney Ransomware delivers its ransom note in the form of a text file named '_Want Money_.txt' that is dropped on the infected computer's desktop. The WantMoney Ransomware also will replace the infected computer's desktop image with the file '_Want Money_.bmp.' Apart from these two, the WantMoney Ransomware also will create a program window named 'Want Money Ransomware.' The WantMoney Ransomware's ransom notes all contain the following message for the victim:
'Can not find the file you need?
Can not open your file?
Do not worry, all your files are only encrypted by "Want Money Ransomware."
Want to retrieve all your files? You only have to pay a small fee
Send 0.1 bitcoins to the following address:
[RANDOM CHARACTERS]
After payment send e-mail to the specified e-mail address
E-mail address: B32588601@163.com
Mail title: Request to decrypt
E-mail content: Your ID + your payment information
After sending you will get a reply, reply to the message contains the Key, please enter in the input box to decrypt the file.
What is Bitcoin? Please go to Baidu or Google search for details
There are more questions? Please contact email: B32588601@163.com
note! Please do not modify the file after the stop, or the file will not be restored, try not to restart the system.'
Affected computer users should ignore the instructions in the WantMoney Ransomware's ransom note and take preemptive measures to ensure that their data is safe.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.