How to Remove WannaCry Ransomware and Get your files Back? 

Threat Name:

WannaCry Ransomware

Category

Ransomware

Target

Encrypts Files

Threat Level

High

Removal

Hard

Problem

WannaCry Ransomware encrypts all your files and demands ransom to get them back. It spread using spam emails. The files encrpted with this ransomware cannot be decrypted without the key as of now. It has affected more than 230000 computers in 150 countries.

Symptoms

If you are infected with WannaCry ransomware then you will not be able to open your files. All of your files are appended with .wcry extension. You will also see the warning on your desktop and in a notepad files named !Please Read Me!.txt. 

Solution

In this article, we will tell you how to remove WannaCry ransomware infection from your computer and also tell you how to restore your files. Unfortunately, as of now, you cannot decrypt the files without paying the ransom, but there are certain ways to recover your files.

WannaCry ransomware attack started on 12 May 2017 and as of now, it has affected more than 230000 computers in more than 150 countries. The largely affected countries are England, Russia, USA, China, and Frankfurt. It is not just affecting normal users but also targeting Government and non-Government organizations.It is being said that WannaCry is using the exploit build by US Agency NSA called ETERNALBLUE. As of now, there is no proven method to decrypt the files encrypted by this ransomware. This is the reason affected countries Government is issuing the advisory to prevent the attack. WannaCry ransomware is also known as WannaCryptor, WNCRY, and Wana Decryptor.

WannaCry is using the spam email attachments to attack computers. Once it gets into your computer it looks for vulnerable computers in your LAN and infects them too. It uses complex encryption method to encrypt all the files. It targets personal, professional files as well as database also. Once infected with this ransomware it encrypts all your files and to get them back it asks 300 BTC ransom.

What is WannaCry Ransomware? 

WannaCry or WannaCryptor, WNCRY, Wana Decryptor is a ransomware. It targets normal users and organizations. It uses spam emails attachments to enter in your computer and spread using your LAN. WannaCry encrypts all your personal and professional files with complex encryption. You won't be able to access any of your files. After encrypting your files it changes your desktop wallpaper and shows a warning and steps to decrypt your files.

How to Remove WannaCry Ransomware

It also leaves a text file in each folder naming !Please Read Me!.txt this files contains information about what is going on in your computer and how you will get back your files by paying the ransom.

WannaCry Ransomware Notes Text File

WannaCry targets more than 77 file formats. It targets common office file formats, archives and media files, databases, email databases, developers projects files, encryption key & certificates, virtual machine files, and Graphic designers files. 

File Types Targeted by WannaCry Ransomware

.ppt, .doc, .docx, .xlsx, .sxi, .sxw, .odt, .hwp, .zip, .rar, .tar, .bz2, .mp4, .mkv, .eml, .msg, .ost, .pst, .edb, .sql, .accdb, .mdb, .dbf, .odb, .myd, .php, .java, .cpp, .pas, .asm, .key, .pfx, .pem, .p12, .csr, .gpg, .aes, .vsd, .odg, .raw, .nef, .svg, .psd, .vmx, .vmdk, .vdi, .lay6, .sqlite3, .sqlitedb, .accdb, .java, .class, .mpeg, .djvu, .tiff, .backup, .vmdk, .sldm, .sldx, .potm, .potx, .ppam, .ppsx, .ppsm, .pptm, .xltm, .xltx, .xlsb, .xlsm, .dotx, .dotm, .docm, .docb, .jpeg, .onetoc2, .vsdx, .pptx

WannaCry Ransomware Removal Guide - Index

Manual Steps to Remove WannaCry Ransomware

1 - Download Windows Security Patch

Microsoft has released a critical security update to fix the vulnerability in windows system. WannaCry is taking advantage of this security hole. Go to https://technet.microsoft.com/en-us/library/security/ms17-010.aspx and download update according to your operating system.

2 - Block TCP Port 445

WannaCry is using TCP Port 445 to communicate and spread in others computer. To do anything first we need to stop this communication. 

Remove WannaCry Ransomware 1

Click on the search box of windows and type "cmd" you will see Command Prompt program. Right Click on it and choose Run as administrator and then choose Yes. Now copy and paste this command - 

Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"

Remove WannaCry Ransomware 2

Press enter button. After some time you will see Ok. Close the command prompt. 

3 - Restart PC in Safe Mode

Now start your computer in Safe Mode. To do this press Win + R and type msconfig and press enter. Now Click on Boot tab and choose Safe Boot options and click OK

Windows 10 Safe Mode Boot

Click on Restart to start your computer in Safe Mode. 

Windows 10 Safe Mode Boot 2

4 - Clean Startup Folder

After starting your PC in safe mode press Win + R and type msconfig and press enter. Now Click on Startup Tab. Click on Open Task Manager

Clean Startup Folder 1

Now Disable every applications that you don't trust. 

Clean Startup Folder 2

5 - Check Hosts File

Next Step is to go to C:WindowsSystem32driversetc location. Open Host file with Notepad. 

Check Host File

This file look should look like below picture. If you see anything other than this file then delete those lines.

Check Host File 2

6 - Disable Safe Mode

Press Win + R and type msconfig and press enter. Click on Boot tab and uncheck the Safe Mode box. Press Ok and Choose Restart to start your computer normally. 

Windows 10 Safe Mode Boot 3

7 - Scan your Computer with MalwareFox

Now download MalwareFox to fully scan your computer for any infection. 

Download and install MalwareFox. After the installation update it and let it load recent signatures. Now press the scan button to fully scan your computer. 

8 - Install Windows Security Patch

Now its time to install the security patch you downloaded in first step. Install it to close the security hole in your operating system. 

How to Recover .wncry Files?

WannaCry ransomware uses complex algorithms to encrypt the files. It makes these files almost impossible to decrypt without the decryption key. However, it has been seen that some user successfully restore their files back using recovery software. Your computer saves a shadow copy of your files on the hard disk. Though the ransomware tries to delete the shadow copy on the hard disk, still, there are chances that you can get your files back.

Try to restore your windows to the previous date or try to restore the files to the previous date. If you can't successfully restore it then try some recovery software. Recovery software like Recuva and Shadow Explorer are helpful in this case. You can also download other recovery software to restore your files. 

Tips to Stay Safe from WannaCry Ransomware

1. Update your operating system and install all critical updates. Don't leave your PC vulnerable to cyber attacks. 

2. Disable Server Message Block (SMB) protocol in your computer. This comes enable by default which is used by WannaCry Ransomware to communicate with its server. To disable it Go to Control Panel> Programs> Turn Windows Feature On or Off. Look for SMB 1.0/CIFS File Sharing Support uncheck the box and click on OK. It will take some time to complete. 

Disable SMB to stop WannaCry Ransomware Attack

2. Do not open Spam Emails. This is the primary method of this ransomware to spread. Don't download suspicious email attachment even if you see it from a known person or an organization.

3. Take a regular backup of your important files and databases. Keep this backup on a separate drive or computer completely disconnected from any network. So, in case you are infected with any kind of malware you don't loose your important work.

4. Install a good Anti-Malware. Anti-Viruses program aren't enough to protect you from new threats. You need a strong anti-malware like MalwareFox. Download and install it and keep its Real Time Protection On to stay protected from these threats.

WannaCry Ransomware Removal Video Guide

Vipin Pandey
 

Computer technician turned blogger! Dealing with malware attacks and troubleshooting is my hobby which landed me on my first job. This blog serves as platform to share those tips and help fixing the problems.

Click Here to Leave a Comment Below 0 comments

Leave a Reply: