This article has been created in order to help you by showing how to remove the WannaPeace ransomware virus from your computer and how to recover _enc encrypted files.
A new ransomware infection, known as WannaPeace has been detected by malware researchers. The virus aims to encrypt the files on the computers infected by it by using AES algorithm on them. After the WannaPeace ransowmare finishes, the encryption the files are renamed with _enc included in their filename. The ransomware then drops a ransom note, named WannaPEace which demands victims to pay a hefty ransom fee in BitCoin in order to retrieve access to their files.
Threat Summary
| Name | WannaPeace |
| Type | Ransomware, Cryptovirus |
| Short Description | Aims to encrypt the files, using the AES cipher and then demands victims to pay heavy ransom in order to get them decrypted. |
| Symptoms | Files are encrypted with an added _enc file suffix to their names. A ransom note, imitating WannaCry appears on the infected PC. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool | See If Your System Has Been Affected by WannaPeace Download Malware Removal Tool | User Experience | Join Our Forum to Discuss WannaPeace. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
WannaPeace Ransomware – Distribution Methods
In order to infect unsuspecting victims, the WannaPeace ransomware uses similar distribution methods of it’s malicious files like other ransom viruses do. The infection may use Windows Exploit kits embedded in an infection file, which infects computers by being sent to the victims, tricking them into thinking that the file is legitimate. One such example is malicious e-mail spam messages, also known as malspam, which carry either e-mail attachments or web links, leading to the malicious files. The often used e-mails, deceive you into thinking that the ransomware infection file is a legitimate:
- Invoice.
- Receipt.
- Purchase order information file.
- Banking activity statement.
- Letter of complain.
- Other important documents.
Once you open the malicious file, it immediately causes the infection to commence and the payload of WannaPeace is dropped and executed on your computer silently.
In addition to via e-mail, the malicious file, carrying WannaPeace may also be disguised as a file that is a legitimate installation file, software license activator, game patch or crack or other fake executable uploaded online.
WannaPeace – More Information
Being as yet another WannaCry impostor, the ransomware virus aims to download it’s payload on your computer after it infects it. The payload may consist of files with different names, such as:
- Randomly generated file names (a-z, 0-9, A-Z).
- Fake file names of legitimate Windows processes (for example svchost.exe).
- Filenames, pretending to be programs installed on your PC.
The payload is usually located in the following commonly targeted Windows directories:
- %AppData%
- %Local%
- %Temp%
- %Roaming%
- %LocalLow%
After the payload has been dropped on the victim’s computer, the ransomware may engage in different activities, such as set it’s ransom note file to be automatically displayed to the victim:
In addition to this, WannaPeace ransomware may also attack the following Windows Registry Entries on the victim’s computer:
→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop
After having done this, the WannaPeace ransomware virus may begin to delete the backed up files or shadow volume copies on the infected machine by running scripts which trigger commands as an administrator in the Windows Command Prompt. The commands are often the following:
→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
WannaPeace Ransomware – Encryption Process
In order to encrypt the files on the infected system, the WannaPeace ransomware virus uses the AES encryption algorithm to render the files on the computers that have been infected by it no longer able to be opened. This results in a unique key for decryption to be generated which is also asymmetric and the cyber-criminals are the only ones who remain in power to provide the key and decrypt your files. The usually targeted files by this ransomware virus are reported to be the following:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
After the encryption process is complete, the files are appended the _enc intefix between their names and the file extension and they begin looking like the image below:
Remove WannaPeace Ransomware and Try to Restore Encrypted Files
To remove this ransomware infection completely from your computer, we recommend that you follow the removal instructions down below. They are specifically created in order to help you by explaining how to isolate the virus and delete it manually or simply remove it automatically. For maximum effectiveness, security experts strongly advise to use an advanced anti-malware tool in order to remove the WannaPeace ransomware automatically from your computer system and protect it against future threats.
In the event that your files have been encrypted by this ransomware infection, recommendations are to try and restore them using the alternative file recovery instructions which we have posted down below in step “2. Restore files encrypted by WannaPeace” below.
Manually delete WannaPeace from your computer
Note! Substantial notification about the WannaPeace threat: Manual removal of WannaPeace requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by WannaPeace on your PC.
Automatically remove WannaPeace by downloading an advanced anti-malware program
1. Install SpyHunter to scan for and remove WannaPeace.
Back up your data to secure it against infections and file encryption by WannaPeace in the future.
STOPZilla Anti Malware
