AutoWannaCryV2 Virus – Remove and Restore .wannacryv2 Files

AutoWannaCryV2 Virus – Remove and Restore .wannacryv2 Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

AutoWannaCryV2 Virus image ransomware note .wannacryv2 extension

The AutoWannaCryV2 Virus is a test release ransomware targeting English-speaking users on a global scale. The currently released samples of it are early versions that may be updated in further iterations. Refer to our in-depth article for a technical analysis and full removal instructions.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .wannacryv2 extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by AutoWannaCryV2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss AutoWannaCryV2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AutoWannaCryV2 Virus – Distribution Ways

The AutoWannaCryV2 virus is a new ransomware threat that has been detected in the end of July this year. According to the available reports it seeks to primarily target English-speaking users from around the world.

At this point the number of captured samples is low and this does not give out the main delivery method. The hackers behind the AutoWannaCryV2 virus can use all available methods in order to spread the danger.

One of the common tactics is the creation and coordination of email phishing campaigns. They send bulk messages in a SPAM like manner containing web elements taken from various well-known companies or services. The criminals seek to confuse the users into thinking that they have received a legitimate message. The AutoWannaCryV2 virus is usually embedded somewhere in the body contents or directly attached to these fake notification messages.

Another mechanism is the distribution of fake download sites, they attempt to mimic real-world services and portals that are frequently visited by computer users. Along with the emails they are the most popular choice for spreading infected payloads:

  • Infected Documents — The criminals can leverage documents of various types (presentations, rich text files, spreadsheets) with the virus code. Once the files are downloaded and run by the victim users a notification pop-up message will be presented which prompts them to enable the built-in scripts. As soon as this is done the infection will follow.
  • Installers — The same strategy can be applied to application setup packages. The hackers take the installers of famous software from the vendor official sites and bundle them with the ransomware dropper code. The users will have no clue that they are installing the virus as the application guides them through the usual setup steps.

Another dangerous scenario is the inclusion of the virus code in browser hijackers — they represent malicious browser extensions that are usually spread on the associated plugin repositories. They are advertised as useful plugin additions and makes use of fake developer credentials and user reviews.

AutoWannaCryV2 Virus – In-Depth Analysis

The AutoWannaCryV2 virus has undergone a basic security scan that shows that it is descendant from the AutoIt ransomware family. This is a common threat type that uses scripting languages and builders in order to program the virus’s operations.

The fact that the virus is written using this technology makes it very easy for the hackers to customize the behavior patterns.

An example customized version of the AutoWannaCryV2 virus can begin with a data harvesting module. It is configured to extract sensitive data about the users and their computers. This includes personally identifiable information that can be used to directly expose the victim’s identity. This includes their name, address, phone number, location, interests and passwords. Another type of data that can be acquired is information related to the campaign optimization metrics. This is a collection of information that is used to optimize the attacks and consists of information about the installed hardware components and certain operating system values.

This data can then be used by the stealth protection module which can protect the virus engine from security software. This is done by scanning the local system for signatures of anti-virus programs, debuggers and other applications that can intefere with the ransomware’s correct execution. This can result in the blocking of the real-time engines or the deletion of the program altogether.

As soon as this is done the threat may continue with further system changes. A list of some of the possible actions can include any of the following:

  • Windows Registry Changes — The malicious engine can proceed with modifications to the Windows Registry. If they target the entries belonging to the operating system then the overall performance may drop. If individual applications are affected then certain functions may stop working properly.
  • Persistent Installation — The AutoWannaCryV2 virus can be installed in a persistent way. This means that it will modify the boot options by disabling the ability to enter into the recovery boot menu. The threat will be automatically started once the computer is booted.
  • Trojan Component — In certain cases a Trojan component can be installed and started. The most common type is the use of a hacker-controlled server which is used by the controllers. By connecting to it the criminal operator will have access to the victim system’s files. In addition this option allows the hackers to spy on the victims in real time.
  • Additional Virus Installaton — The AutoWannaCryV2 virus infection can be used to deploy additional threats to the infected computers.

Other modifications can be addded at any given time by the hackers. Advanced ransomware can contact the hacker-controlled server in order to acquire newer modules.

AutoWannaCryV2 Virus — Encryption

Once all prior tasks have complete the AutoWannaCryV2 virus will launch the ransomware module. Like other similar AutoIt-based it uses a built-in list of target file type extensions. Typically they include the most popular file types:

  • Archives
  • Documents
  • Backups
  • Images
  • Documents
  • Videos

All affected files are renamed with the .wannacryv2 extension. Instead of a ransomware note it launches a pop-up message reading the:

All your files encrypted! By wannacryV2
Spent time on encryption: 318 seconds

The ransomware engine drops an executable program called wanna cry v2 decryptor.exe that servers as the decryption tool. The sample versions distributed by the hackers can be made into unlocking the victim files with the “123qe” string.

Remove AutoWannaCryV2 Ransomware Virus and Restore .wannacryv2 Files

If your computer got infected with the AutoWannaCryV2 ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share