.Wcry File Virus – Remove It and Restore Your Files (Update June 2017)

.Wcry File Virus – Remove It and Restore Your Files

The article will aid you remove .Wcry file virus totally. Follow the ransomware removal instructions provided at the end of the article.

.Wcry file virus is also ransomware. Over 160 different file extensions will become encrypted and a ransom message will be displayed afterward. From there, you can see the demands for payment of the cybercriminals that developed the .Wcry file virus. The ransomware connects to a C&C (Command and Control) server. Read below to see how you could try to potentially restore some of your files.

Threat Summary

Name.Wcry file virus
Short DescriptionThe ransomware will encrypt files with a little over 160 different extensions on a compromised system.
SymptomsThe ransomware encrypts files on your PC and displays a ransom message afterward.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .Wcry file virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Wcry file virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Wcry File Virus – Update

A new version of .Wcry file virus is out, infecting users Worldwide. Reports show that around 100 different countries have been hit, but the ones that suffer the most are Spain, Russia and the UK. The ransomware continues to spread its older version with the .Wcry extension, but it could have the new design, as seen below:

The latest news about the ransomware, from malware researchers is that you shouldn’t pay the ransom sum. Due to the virus requiring a human operator to approve the payment over a Command&Control server (C2), and as thousands are hit, its not likely that this will happen or that your files will be restored.

UPDATE MAY 2017 We have summed up potential methods by which you could theoretically try and restore your files. We have also included new information about how does this virus spread. The instructions are in the following article.

.Wcry File Virus – Infection Spread

The .Wcry file virus could spread its infection with different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, might be placed on different places on the Web. A C&C server that is believed to be associated with this ransomware is rphjmypwmfvx6v2e(.)onion.

This .Wcry file virus could also spread its payload file on social media and file-sharing sites. Freeware found on the Web can be presented as helpful but could also hide the malicious script for the virus. Refrain from opening files right after you have downloaded them, especially if they come from dubious sources such as links and emails. Instead, you should scan them first, with a security tool, while also checking their size and signatures for anything that seems suspicious. You should read the ransomware preventing tips in the forum.

.Wcry File Virus – Analysis

.Wcry file virus is a ransomware that will encrypts files with a little over than 160 different extensions, while appending the extension .wcry to them.

.Wcry file virus ransomware could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will launch the virus automatically with each boot of the Windows Operating System.

A ransom note will appear right after the encryption process has ended. The note is written in the English language and gives details about what the ransom price is, along with other demands for paying. You can view the ransom message, which loads after the file encryption process, right down here:

That ransom note reads the following:

Your files have been safely encrypted!
Most of your files are encrypted with strong AES-128 ciphers.
To decrypt files you need to obtain the private keys, and it is the only possible way.
To obtain the keys you should pay them with bitcoin.
The cost will double by the specified time.
The cost will double
[date and time] What to do, How to do
1. Send 0.1 BTC to 1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ
You will be able to download the private key within 12 hours.
2. How to DECRYPT your files
1) Click “Start Decrypt”.
2) First, you should send a download request with your Bitcoin wallet address.
(Important: You must know your actual wallet address from where your payment be sent.)
3) Sleep.
4) After 5~6 hours you will have the key and can decrypt your files. Go!
5) That’s all.

3. About BITCOIN
1) For more information about bitcoin, please visit https://en.wikipedia.org/wiki/Bitcoin
2) Here are our recommendations to purchase bitcoin:

Any attempt to corrupt or remove this software will result in immediate elimination of the private keys by the server.
Start Decrypt

The note of the .Wcry file ransomware states that your files are encrypted with an AES 128-bit encryption algorithm. A ransom sum of 0.1 Bitcoins is asked as payment for unlocking your files by the cybercriminals. The equivalent of that sum of money in US dollars is almost exactly 100 dollars. You will be given around five full days to pay the ransom, but we advise against that. You should NOT under any circumstances pay the cyber crooks. Your files might not get restored, and nobody could guarantee that. You will only end up giving money to these criminals and inspiring them to create more ransomware or do other criminal acts.

.Wcry file ransomware seeks to encrypt files with a little over than 160 different extensions, which you can see in the following list:

→.key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, ., .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .mdb, .db, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cs, .c, .cpp, .pas, .h, .js, .vb, .pl, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .rb, .java, .jar, .class, .sh, .mp3, .wav, .swf, .fla, .wmv, .mpg, .mpeg, .vob, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .ai, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .backup, .zip, .rar, .7z, .gz, .tgz, .tar, .bak, .tbk, .tarbz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .602, .hwp, .edb, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .dotx, .dotm, .dot, .docm, .docb, .jpg, .jpeg, .dwg, .pdf, .rtf, .csv, .txt, .wk1, .wks, .123, .vsdx, .vsd, .eml, .msg, .ost, .pst, .pptx, .ppt, .xlsx, .xls, .docx, .doc

Extensions Source: MalwareHunterTeam

Every file which has one of the extensions from the above list will get encrypted.

The .Wcry file cryptovirus is more than likely to erase the Shadow Volume Copies from the Windows Operating System by utilizing the following command:

→vssadmin.exe Delete Shadows /All /Quiet

Continue reading and check out what ways you could try to potentially restore some of your data.

Remove .Wcry File Virus and Restore Your Files

If your computer got infected with the .Wcry file ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share