Wanna Decryptor (WannaCry) Ransomware - Update June 2017

Wanna Decryptor (WannaCry) Ransomware (Restore Files)

Article created to demonstrate how to remove Wanna Decryptor (WannaCry) ransomware and restore files encrypted via AES and RSA encryption algorithm.

“Oops, your important files are encrypted” is what the victims of the Wanna Decryptor WannaCry virus see after their computers are infected by this virus. Once this has happened, the ransomware infection begins to append encryption algorithms and make the documents on the affected computers no longer readable. After this has happened, !Please Read Me!.txt file is dropped onto the computer of the user which aims to get victims to download a decryptor from a dropbox account. Then, the decryptor demands 300$ in BTC payoff to get the data back. In case you have become a victim of the Wanna Decryptor threat, we recommend reading this article carefully.

Update June 2017! New ransomware outbreak inspired by the WannaCry ransomware, also using “Oops your important files have been encrypted” has been detected. The virus is a modified version of Petya ransomware. More information can be found on this web link.

Threat Summary


Wanna Decryptor

Short DescriptionThe malware encrypts users files using AES and RSA encryption ciphers, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”, called !Please Read Me!.txt linking to contacting the cyber-criminals. Changes wallpaper with message asking to download a decryptor from Dropbox. The decryptor demands 300$ in BTC to work.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Wanna Decryptor


Malware Removal Tool

User ExperienceJoin our forum to Discuss Wanna Decryptor.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Wanna Decryptor Ransomware – How Does It Infect

For the infection with this virus to be successful, the cyber-criminals behind the Wanna Decryptor threat may use a combination of different tools and kits:

  • Spamming software for e-mail.
  • A pre-set list of e-mail addresses to spam, usually bought on the black market.
  • Software responsible for different obfuscation of files so that detection by security software is avoided.
  • Different infection malware (Downloaders, droppers, extractors, etc.)
  • Malicious command and control servers and distribution hosts.

The most often-used method by which criminals like the ones behind Wanna Decryptor ransomware use is via e-mail spam. Such spam messages usually resemble different important notices, to trick users into either opening malicious e-mail attachments or clicking on links which redirect to malicious hosts. One example of such deceptive e-mail can be seen below:

After the Wanna Decryptor threat has already caused an infection by convincing the user to open the malicious attachment, the virus begins to drop it’s malicious files on the infected computer. The files which were detected so far by researchers are the following:

  • !WannaDecryptor!.exe
  • !WannaDecryptor!.exe.lnk
  • !WannaCryptor!.bmp
  • !Please Read Me!.txt

Besides these files, there may be fake process files and other support modules with random names spread out in various Windows folders such as the following:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Local%
  • %SystemDrive%

Wanna Decryptor Ransomware – What Does It Do?
The activity of Wanna Decryptor is relatively the same as most ransomware viruses out there. The virus executes an administrative command which deletes all the backed up files (shadow copies) on the infected Windows machines:

→ vssadmin.exe Delete shadows /All /Quiet

Wanna Decryptor virus also performs the deletion In /quiet mode, without the user noticing anything is happening.

Then, the Wanna Decryptor ransomware may perform modifications on the following Windows Registry sub-keys:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

In the Run and RunOnce sub-keys, values may be added to make the malicious executable which is responsible for encrypting files to run when Windows boots. The Desktop keys, may have a modified sub-key for the wallpaper, which is later changed to the !WannaCryptor!.bmp image:

It also has the following message:

Ooops, your important files are encrypted.
If you see this text, but don’t see the “Wanna Decryptor” window, then your antivirus removed the decrypt software or you deleted it from your computer.
If you need your files, you have to recover “Wanna Decryptor” from the antivirus quarantine, or download from the address below:
Run “Wanna Decryptor” to decrypt your files!

The web link, leading to drop box may download a decryptor which looks like the following:

The decryption software demands 300$ in BitCoin to be paid to decode the files.

Wanna Decryptor Virus – The Encryption Process

For the encryption process performed by Wanna Decryptor, two powerful encryption algorithms may be used. One of them is known as the Advanced Encryption Standard and is a very often met decryptor in most ransomware viruses. The cipher is also used by some US government agencies to encrypt secret documents. It’s usage in this virus is primarily focused on encrypting files and generating symmetric key (FEK) which makes the file non readable.

Then, another encryption algorithm, known as Rivest-Shamir-Adleman or RSA is used to generate a Public key corresponding to the symmetric key and adds the key in the file’s data. Since Wanna Decryptor ransomware may use unique keys for set of files or for every file, discovering a decryption method by reverse engineering it can only be successful if there is a mistake while coding the encryption procedure, which is not likely.

For more information on how this encryption process works, please visit the following related article:

The files, targeted by Wanna Decryptor ransomware are documents, videos, pictures and other often used file types, for example, the following:


After the process of encryption is complete, the virus may correspond with the cyber-criminals to send the decryption keys to them, so that they can update their decryptor in the dropbox site. Another scenario is if they have a master decryption key embedded within the decryptor. Whatever the case may be with Wanna Decryptor, experts recommend to remove this virus instead of paying the ransom.

Remove Wanna Decryptor Ransomware and Restore Encrypted Files

For the removal of this virus, advices are to first back up the encrypted files and then follow the removal instructions below. They are specifically created to help delete the malicious files and objects created by this ransomware on your computer. In case manual removal is a challenge for you, recommendations are to focus on automatically removing everything related to Wanna Decryptor ransomware. Experts advise that the best way of doing the removal is by downloading an advanced anti-malware tool which will not only delete all files but will also protect your computer against future infections.

If you want to try and restore the files encrypted by Wanna Decryptor, we have suggested some methods in step “2. Restore files encrypted by Wanna Decryptor” below. They are not 100% guarantee you will get all the files back, but you may recover at least some of the data using these methods.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

1 Comment

  1. ניצ נצ



Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share