WannaPeace Ransomware - How to Remove and Restore _enc Files

WannaPeace Ransomware – How to Remove and Restore _enc Files

This article has been created in order to help you by showing how to remove the WannaPeace ransomware virus from your computer and how to recover _enc encrypted files.

A new ransomware infection, known as WannaPeace has been detected by malware researchers. The virus aims to encrypt the files on the computers infected by it by using AES algorithm on them. After the WannaPeace ransowmare finishes, the encryption the files are renamed with _enc included in their filename. The ransomware then drops a ransom note, named WannaPEace which demands victims to pay a hefty ransom fee in BitCoin in order to retrieve access to their files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files, using the AES cipher and then demands victims to pay heavy ransom in order to get them decrypted.
SymptomsFiles are encrypted with an added _enc file suffix to their names. A ransom note, imitating WannaCry appears on the infected PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by WannaPeace


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WannaPeace.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

WannaPeace Ransomware – Distribution Methods

In order to infect unsuspecting victims, the WannaPeace ransomware uses similar distribution methods of it’s malicious files like other ransom viruses do. The infection may use Windows Exploit kits embedded in an infection file, which infects computers by being sent to the victims, tricking them into thinking that the file is legitimate. One such example is malicious e-mail spam messages, also known as malspam, which carry either e-mail attachments or web links, leading to the malicious files. The often used e-mails, deceive you into thinking that the ransomware infection file is a legitimate:

  • Invoice.
  • Receipt.
  • Purchase order information file.
  • Banking activity statement.
  • Letter of complain.
  • Other important documents.

Once you open the malicious file, it immediately causes the infection to commence and the payload of WannaPeace is dropped and executed on your computer silently.

In addition to via e-mail, the malicious file, carrying WannaPeace may also be disguised as a file that is a legitimate installation file, software license activator, game patch or crack or other fake executable uploaded online.

WannaPeace – More Information

Being as yet another WannaCry impostor, the ransomware virus aims to download it’s payload on your computer after it infects it. The payload may consist of files with different names, such as:

  • Randomly generated file names (a-z, 0-9, A-Z).
  • Fake file names of legitimate Windows processes (for example svchost.exe).
  • Filenames, pretending to be programs installed on your PC.

The payload is usually located in the following commonly targeted Windows directories:

  • %AppData%
  • %Local%
  • %Temp%
  • %Roaming%
  • %LocalLow%

After the payload has been dropped on the victim’s computer, the ransomware may engage in different activities, such as set it’s ransom note file to be automatically displayed to the victim:

In addition to this, WannaPeace ransomware may also attack the following Windows Registry Entries on the victim’s computer:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

After having done this, the WannaPeace ransomware virus may begin to delete the backed up files or shadow volume copies on the infected machine by running scripts which trigger commands as an administrator in the Windows Command Prompt. The commands are often the following:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

WannaPeace Ransomware – Encryption Process

In order to encrypt the files on the infected system, the WannaPeace ransomware virus uses the AES encryption algorithm to render the files on the computers that have been infected by it no longer able to be opened. This results in a unique key for decryption to be generated which is also asymmetric and the cyber-criminals are the only ones who remain in power to provide the key and decrypt your files. The usually targeted files by this ransomware virus are reported to be the following:


After the encryption process is complete, the files are appended the _enc intefix between their names and the file extension and they begin looking like the image below:

Remove WannaPeace Ransomware and Try to Restore Encrypted Files

To remove this ransomware infection completely from your computer, we recommend that you follow the removal instructions down below. They are specifically created in order to help you by explaining how to isolate the virus and delete it manually or simply remove it automatically. For maximum effectiveness, security experts strongly advise to use an advanced anti-malware tool in order to remove the WannaPeace ransomware automatically from your computer system and protect it against future threats.

In the event that your files have been encrypted by this ransomware infection, recommendations are to try and restore them using the alternative file recovery instructions which we have posted down below in step “2. Restore files encrypted by WannaPeace” below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share