Remove WoodMan Ransomware – Restore Data
THREAT REMOVAL

Remove WoodMan Ransomware – Restore Data

This article will aid you in removing the WoodMan ransomware absolutely. Follow the ransomware removal instructions provided at the bottom of the article.

WoodMan ransomware is a virus. The virus is with screen-locking capabilities and its name is also present in its payload dropper – “Wood Man.exe”. The ransom message that pops up afterward is written in the English language. The picture used in the ransom note is used from the game “Indiana Woodman And The Temple of Nice” Your computer will become inaccessible unless you type the correct unlock code. Continue to read down below to see how you could try to potentially restore some of your data files.

Threat Summary

NameWoodMan
TypeRansomware, Virus
Short DescriptionThe ransomware is unknown if encrypts files or not, but it is a definite possibility, especially if you enter the wrong unlock code. This virus demands you to enter the correct unlock password, or else.
SymptomsThe virus is of the screenlocker variety. No matter if it encrypts or not now, it will still show a ransom note if you get your computer infected, making the screen and PC inaccessible.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by WoodMan

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WoodMan.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

WoodMan Ransomware – Delivery Ways

WoodMan ransomware could be delivered in more than one way. However, the way that is the most widespread is via a payload dropper file which initiates the malicious script for the ransomware. A sample has been spotted by malware researchers and you can preview its analysis available on the VirusTotal service from down below:

The WoodMan ransomware might be using other ways to deliver the payload file, such as social media and file-sharing sites. Freeware applications found on the Internet could be promoted as helpful but also could hide the malicious script for this virus. Before opening any files after you have downloaded them, you should instead scan them with a security program. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the tips for ransomware prevention provided in the corresponding forum section.

WoodMan Ransomware – Detailed Information

The WoodMan ransomware is a virus, which has been recently discovered by the malware researcher Karsten Hahn. Although the virus is of the screenlocker variety, it will still show a ransom note demanding payment. WoodMan ransomware will pop up a window that serves as a ransom note with instructions that is actually a screen locking your computer and blocking access to your files.

The WoodMan ransomware could be set to make new registry entries in the Windows Registry to achieve a higher level of persistence. Those entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, like in the example given below:

→“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

The ransom message will load up as a screenlocking image and it can be seen right here below:

The picture on that screen is taken from the game “Indiana Woodman And The Temple of Nice”. The message on it states the following:

Your Computer have been infected by a meme!
To unlock your computer you must put in a nice lol password
get it wrong YOUR FIRED!
|
Make my computer nice again!

There is no ransom sum that is demanded as payment for allegedly restoring access to your computer. Instead, you are asked to enter the right password to unlock everything, but you should be careful. Entering the wrong code might deem your data corrupted. As the virus doesn’t necessarily lock your files themselves but just the access to them, it is removable.

WoodMan Ransomware – Encryption Process

There is no official list with file extensions that the WoodMan ransomware seeks to encrypt and the article will be duly updated if there are changes regarding that. Encryption doesn’t seem to be present in some variants of the ransomware. The virus might still be in-development and the encryption feature might be added in the near future.

You can preview a list with file extensions that the WoodMan ransomware probably seeks to encrypt:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

Those files are the most commonly-used ones for most Windows users, which is why the list could be on-point.

To remove the lock on your screen and get the ransom message window down, all you have to do is type the following password unlock code:

mm2wood.mid

Beware, as there is a legitimate possibility of your files getting broken, if you enter the code wrong.

The WoodMan cryptovirus is more than likely to erase the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

If the above-stated command is inputted into the command prompt of the Windows operating system, that will make the encryption process more effective, as one of the main ways for file recovery will be gone. Keep on reading to find out what methods you can try out to potentially restore some of your files.

Remove WoodMan Ransomware and Restore Files

If your computer got infected with the WoodMan ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...