WhyCry Ransomware

PC security researchers first observed the WhyCry Ransomware on June 13, 2017. The WhyCry Ransomware was observed in the wild, being distributed through the use of documents that use compromised macros to download and install the WhyCry Ransomware onto the victim's computer. These documents were being delivered by spam email messages that use social engineering techniques to trick computer users into downloading and installing the WhyCry Ransomware onto their computers. The WhyCry Ransomware is a low-level ransomware variant that is the work of amateurs clearly, probably compiled by copying and pasting portions of code from other sources rather than through a real development process. It is likely that the WhyCry Ransomware was largely derived from the Haters Ransomware and its variants, first observed in May 2017.

There's a Lot of Motives to Cry When Infected by the WhyCry Ransomware

The WhyCry Ransomware attack seems to follow the typical steps involved in the Haters Ransomware attack. First, the WhyCry Ransomware will search the victim's files for certain file types, matching certain file extensions. While most ransomware Trojans target hundreds of file types, the WhyCry Ransomware seems to encrypt only eight file types: .avi, .doc, .exe, .gif, .mp3, .pdf, .rar and .txt. Unfortunately, these file types are quite used commonly, and most computer users will have numerous files of these types on their computers. After determining which files to affect, the WhyCry Ransomware will encrypt them using its encryption algorithm and then mark the affected files with the file extension '.whycry,' which is added to the end of each file's name. Once the WhyCry Ransomware finishes encrypting the files, it will deliver a message, which serves as a ransom note, which demands the payment of a ransom in exchange for the decryption key needed to recover the affected files. The WhyCry Ransomware displays its ransom note as a full-screen window, which prevents victims from accessing their desktops. The contents of the WhyCry Ransomware ransom note are displayed below:

'Attention!!! All Your Files are Encrypted by Why-Cry
Warning: Do not turn off your Computer!! You will loose all your files! If you want to Decrypt your files follow these simple steps:
1). Create BitcoinWallet here: h[tt]ps://blockchain[.]info/
2). Buy Bitcoins worth of $300.
3). Send $300 in Bitcoin to Given Address Below!
4). You will get your Decryption Key after you pay $300 in Bitcoin.
5). The Decryption Key will pop up on the left side automatically. We are more advance than others.
6). Enter it in Given Box and Click on Decrypt.
7). After clicking on Decrypt the files will start decrypting in background. 8 BitCoin Address: 1NgnRmq7eYeMR5BRr7tVR3fD3xmWwC6bVj /e
9). You will aet all of your files safely.
Enter Deaypt,on Key Here.
[TEXT BOX] Decrypt
All files have been Encrypted by Why-Cry! Don't close the PC otherwise, I wont be responsible if your files dont decrypt. If you close your PC this screen will be removed. And you will not be able to Decrypt files back!!!'

After the victims pay the ransom, the WhyCry Ransomware will display the following message:

'Wait!!!Files are being Decrypted!
Your Files Have Been Successfully Decrypted!!!'

However, the WhyCry Ransomware is implemented poorly and, in most cases, the WhyCry Ransomware will not be capable of restoring the victim's files to normal.

Dealing with a WhyCry Ransomware Infection

PC security analysts suspect that it will be possible to release a decryption program to help victims of the WhyCry Ransomware recover from an attack eventually. However, it is not possible to do so currently. This is why PC users should take steps to protect their data. The best protection against the WhyCry Ransomware and other encryption ransomware Trojans backup all files. If PC users have backup copies of their files, then they can recover from a WhyCry Ransomware attack immediately by restoring the affected files from their copies.