.Weencedufiles Virus (Remove and Decrypt Data) - How to, Technology and PC Security Forum | SensorsTechForum.com

.Weencedufiles Virus (Remove and Decrypt Data)

Article created to help you delete the .weencedufiles virus and restore the damage done by it on your PC.

The SamSam ransomware has come out with yet another iteration, this time using READ-READ-READ.html ransom note and .weencedufiles file extension after the encryption has been complete. This ransomware infection aims to extort the victims of it with money in return for the access of the files that it renders no longer able to be opened. In case you have been infected by the .weencedufiles virus, recommendations are to focus on reading the following material which will help you remove it and try to get your files back.

Threat Summary

Name.weencedufiles File Virus
Short DescriptionThe ransomware encrypts files with RSA encryption cipher and asks a ransom payment of BTC for decryption.
SymptomsFiles are encrypted with RSA encryption and become inaccessible with an added .weencedufiles file extension to them. A ransom note with instructions for paying the ransom shows as 000-PLEASE-READ-READ.html file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by .weencedufiles File Virus


Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Weencedufiles Virus – More Information

This SamSam ransomware iteration is from the file encryption kind, meaning that it may use RSA encryption algorithm to make the files on you computer no longer openable.

.Weencedufiles Virus – How Did I Get Infected

This particular version of SamSam does not differ by much with the other versions of the malware. It uses different tactics to infect users. A tactic often used is a remote infection via a server that is hosted somewhere unknown. Some crooks even test defenses of the computers they are about to infect. This is also known as penetration testing. Such specific software gives the chance to make an infection remotely and conceal malicious infection files from conventional anti-virus software.

.Weencedufiles SamSam Version – More Information

Similar to the other SamSam(https://sensorstechforum.com/new-samsam-ransomware-remove-restore-vforvendetta-files/) iterations, this version also may engage in activities that derive from it’s code. One of those activities was reported to be PSExec. It is used to start different programs remotely after infection, just like a Trojan horse does. The tool is contained in a file that is dropped on the infected computers and is started automatically.

But .Weencedufiles virus does not end it’s Trojan activity there. The ransomware virus may also use a separate Trojan that has been detected with similar malware – the Samas trojan.

After an infection with this virus, an executable type of file is downloaded and saved on the infected computer. This malicious file aims to eradicate shadow copies and destroy other backups by running the following command:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

After it’s preparation is complete, SamSam may engage in activities that result in encrypting files that are often used. The file types may vary, but they are most likely some of the following file extensions:


After a detection, the ransomware replaces bytes of the original files with bytes of the encryption algorithm. The encryption, believed to be RSA-2048 bit is a very strong cipher, used by the department of defence (DoD) for data security.

In case you have been visited by this version of the .weencedufiles virus, your files may look like the following after the encryption takes place:

To make sure the victim knows it’s presence as well as demands, this ransomware infection also drops a .html ransom note, named “READ-READ-READ”. It may ask to make a payment, most likely in BTC to the cyber-criminals so that they can unlock your files. Paying is not advisable in any circumstances.

SamSam .Weencedufiles Virus – Remove and Try Getting Back The Files

To fix the damage done by this nasty ransomware infection on your computer, recommendations are to focus on backing up the encrypted files first. Then, we advise you to follow the malware removal steps below. In case the manual removal is too difficult for you and you feel unconfident that you have removed the .Weencedufiles virus fully, experts always advise using an advanced anti-malware program to take care of the removal fully and automatically.

After already deleted .Weencedufiles ransomware, you can try using the alternative tools for decryption, which we have posted below at step “2. Restore files encrypted by .Weencedufiles file virus”. They are in no way 100% guaranteed to work, but they may help you recover at least some of the crucial files you want back.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share