Wannasmile Ransomware - How to remove

Wannasmile Ransomware is a dangerous computer virus that can infect operating system and encrypt files stored on it, asking for a ransom to be paid in order to unlock those files. Even though it looks like it was created by Persians (or at least targeted to Persian market), it can infect any computer worldwide and you should be aware of that. It was discovered by MalwareHinter team and published on a Twitter post, dubbed as WannaSmile ransomware. That name is something similar, yet opposite to the WannaCry infection. Maybe cyber criminals are making references, or just want to bring attention this way? It looks like name similarity is all that  is common between those viruses, because Wannasmile is just an upgraded and modified version of ZCrypt ransomware, which was released to the world more than a year ago.

WannaSmile ransomware virus

Wannasmile ransomware features

Since all of technical solutions are really similar to ZCrypt ransomware, we assume that it is distributing using spambots – millions of emails with attached malicious files are sent automatically and it’s enough to download and open that attachment to get infected. It is arguably the most common method to distribute malware, therefore we recommend to stay away from Spam folder in your email.

Now, once this infection is inside of your computer, it will scan your files and encrypt them. Extension “.WSmile” will be added to the end of every of your personal files and you won’t be able to open any of them. Right after that you should notice a new file named “How to decrypt files.html” on your desktop. It’s a ransom note which should provide you with instructions for decryption, however, it is written in Persian:

WARNING!

سیستم شما به ویروس و باج افزارWannaSmile آلوده شده است؛ تمامی فایل های مهم شما از جمله دیتابیس ها – داکیومنت ها – فایل های بک آپ و … توسط الگوریتم های پیچیده رمزنگاری شده است؛
بنابراین شما امکان دسترسی به فایل ها را نخواهید داشت زیرا الگوریتم رمزنگاری مورد نظر تنها توسط ما قابل رمزگشایی می باشد. شما می بایست برای رمزگشایی فایلهای خود مبلغ 20 بیت کوین را به آدرس زیر ارسال کنید:

1KvmWVRxqw8HeFpR2tHBaoTJiTczU7PRzw

و به محض پرداخت موفقیت آمیز بیت کوین حتما از طریق ایمیل [email protected] به ما اعلام کنید تا یک فایل برای شما ارسال گردد که توسط آن می توانید کل فایل ها و سیستم های آلوده را به حالت اولیه باز گردانید.

درصورتیکه طی مدت حداکثر 5 روز پس از آلوده شدن مبلغ مورد نظر به حساب بیت کوین ما واریز نشود، روزانه مبلغ 1 بیت کوین به مبلغ اصلی (20 بیت کوین) اضافه میگردد.

توجه: جهت خرید بیت کوین می توانید از طریق یکی از صرافی های زیر اقدام نمایید:

www.exchanging.ir
www.payment24.ir
www.farhadexchange.net
www.digiarz.com

We are not sure if it is just a spelling error or cyber criminals behind WannaSmile infection are out o this world, because they are asking 20 BTC as a ransom. It’s around $160 000 by the current exchange rate. Keeping in mind that this virus is targeting personal computers, no one ever will pay this kind of money.

Sometimes ransomware developers are asking for a reasonable ransom – something between $500 and $1000 and some users select this method as a solution to the problem. However, in this case you are left with the only option – to remove malicious files of this virus and try to restore your files from a backup.

Removing the infection itself is not that complicated, as you can do it with a help of reputable anti-malware tool. This report by VirusTotal reveal that most of anti-malware tools are able to detect files of WannaSmile as a ransomware or trojan infection. We suggest to go for Spyhunter – both of those applications are known for dealing with this kind of malware effectively. It will also protect your computer from similar infections in the future.

Files restoration features some specific conditions. First and foremost – you have to have a valid back-up file that was stored in a save place during the time of the infection. Only in this case you will be able to set your system to previous date and restore typical order of things. If you meet this condition, please read our system restore instructions and use it as your guide in this process.

How to recover Wannasmile Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Wannasmile Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Wannasmile Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Wannasmile Ransomware. You can check other tools here.  

Step 3. Restore Wannasmile Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Wannasmile Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Wannasmile Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *