WannaCry Impostors On the Rise

WannaCry Impostors On the Rise

WannaCry – a ransomware cryptovirus, that has infected computers over the globe across 150 countries, is already being looked up to by criminals. Successfully delivering the biggest ransomware attack in history, there is no wonder cybercriminals have started developing imitations of the WannaCry virus. In case you get infected by a clone of the malware, you should read the article and see how you could try to potentially recover some of your data.

WannaCry Ransomware Infection

WannaCry ransomware uses different methods to infect users’ PCs, and thus its imitations could use any number of ways to infect computer systems. Those ways however wouldn’t be much different. Using multiple malware e-mail spam campaigns might be the main way of distribution or using a worm to continue the infection from one machine to another over a network. These methods are used by WannaCry 2.0 right now and are viable for maintaining believable copycat version of it. However, impostors might utilize other ways for infecting.

As you can see above, one of the WannaCry ransomware copycats has a malicious executable that launches a script that infects a computer. Such files could be delivered even through social media and file-sharing networks. Often, files like these are advertised as freeware that is helpful, but instead might serve as the entry point for an infection. Refrain from opening files right after you have downloaded them, especially if they are from an unknown source. You should always first scan the files with a security tool. Read the ransomware prevention tips in our forum section to educate yourself on how to prevent ransomware attacks in general.

Below we will look at a few imitations of WannaCry that have surfaced and were discovered by malware researchers. As they are all still in-development, there is not much information to go on.

WannaCry Impostor #1 – DarkoderCrypt0r

DarkoderCrypt0r is still in its development phase, but probably the closest to being released, if you compare it to the other impostors. After encrypting files on your Desktop, it will display the following window:

As you can see it uses the same design and ransom note as the newest variant of the WannaCry virus aka Wana Decrypt0r 2.0.

All files are encrypted with the .DARKCRY extension and it gives you three days to pay the ransom sum of 300 US dollars. Its executable will be named @[email protected], similarly to the original ransomware. Interestingly enough, this one uses the code of HiddenTear, so it would be decryptable, if it is released.

WannaCry Impostor #2 – Wanna Crypt v2.5

The Wanna Crypt v2.5 is also in-development, but sill behind, as it only shows the following lock-screen:

As you can see, the design is the same, with minor changes to the lock icon, timers etc. The ransom sum is 600 US dollars right from the beginning.

The ransom note of both variants described above is the following:

Ooops, your files have been encrypted!
What Happened to My Computer?
Your important files are encrypted.

Many of your documents. photos, videos, databases and other files are no longer
accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files. but do not waste your time. Nobody can recover your files without
our decryption service.

Can I Recover My Files?

Sure. We guarantee that you can recover all your files safely and easily. But you have 1
not so enough time.
You can decrypt some of your files for free. Try now by clicking
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.

How Do I Pay?

Payment is accepted in Bitcoin only. For more information, click
Please check the current price of Bitcoin and buy some bitcoins. For more information.
And send the correct amount to the address specified in this window.
After your payment, click Best time to check: 9:00am – 11:00am
GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!

WannaCry Impostor #3 – WannaCrypt 4.0

WannaCrypt 4.0 is also in its early stages of development and does not encrypt data at this time. However, while it copies the design of the ransom message window, it has an additional feature, as you can see below:

The whole ransom payment instructions text is written in the Thai language as it is probably made by and intended for the individual user of Thailand. That language is not supported by the original WannaCry.

WannaCry Impostor #4 – Aron WanaCrypt0r 2.0 Generator v1.0

Last, but definitely not least is the Aron WanaCrypt0r 2.0 Generator v1.0. The idea behind it is to make it into a generator of custom WannaCry versions, as seen right down here:

As seen above, there are multiple customizations that can be done, in terms of images, color and text, but only limited to the lock screen.

WannaCry Impostor #5 – Wana Decrypt0r 2.0 (Wana Descrypt0r)

A copycat variant called Wana Decrypt0r 2.0 and Wana Descrypt0r written in the Indonesian language is also being spread. The malware’s executable file is called MS17-010.exe referring to the Microsoft patch, which the original WannaCry virus used as an entry point exploit. Here is how it looks like:

Fortunately, it doesn’t encrypt files for now.

WannaCry Impostor #6 – @kee

@kee is an imitator which doesn’t care about your files. It will encrypt them and show the following message window:

The ransom note is also inside a file called “Hello There! Fellow @kee User!.txt“.
It states that there is no way for you to receive the key, and afterward it will delete your files.

WannaCry Impostor #7 – WannaDecryptOr 2.0

WannaDecryptOr 2.0 is an imitation of the WannaCry ransomware virus, which is still in-development and shows a blank page in its window as seen from the picture here:

Your files will not get encrypted, but they could be in the near future.

WannaCry Impostor #8 – Wanna Subscribe 1.0

Not much information is found about the Wanna Subscribe 1.0 impostor, other than that it is written in Java and has the following gray-colored design:

The following extensions which are encrypted by the current WannaCry variant, could also be placed for its clones to seek and lock:

→.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The WannaCry copycats might also be set to erase the Shadow Volume Copies from the Windows operating system by implementing the usage of the following command:

→vssadmin.exe delete shadows /all /Quiet

Remove WannaCry Ransomware Impostors

If your computer got infected with some impostor of the WannaCry ransomware virus, you should have a bit of experience in removing malware. You should get rid of the ransomware as fast as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share