Mass infection with WannaCry ransomware - @ [email protected]. How the WannaCrypt virus spreads How to disinfect your computer and decrypt files encrypted by WannaCrypt

The purpose of the following text is to inform you about the possible consequences of a very harmful virus: Wannacrypt Ransomware, as well as its characteristics and its normal way of functioning. Considering the fact that this program is considered a ransomware option, what you can expect from it is summarized below:

  • Self-installation on your computer: This means that such programs don't even need to trick you into getting them installed. In fact, such programs become part of your PC correctly and automatically after downloading from any sources.
  • A thorough scan of all your drives, which is designed to determine which of your data you want to use more. After this, the creation of a complete list of all these pieces of data occurs.
  • Unfortunately, this terrible Wannacrypt Ransomware program then proceeds to encrypt all the above-mentioned files: one piece after another. Once all files have been permanently blocked, you will receive a terrible notification. Typically, such a scary message will inform you that your data will be locked and you must pay a ransom to decrypt it.

To be absolutely clear, rarely will you come across a more terrifying type of malware. Until now, ransomware tops the list with the most malicious threats. However, even such an unpleasant situation is not hopeless. If you have read the entire article, you will get the idea to proceed to try to remove this threat.

Isn't it always ransomware that encrypts files?

In fact, only members of the data-lock-up subcategory of this malware do block data. Other versions of this malicious software may show different features. There are subspecies of ransomware, representatives of which are used to lock the screen of your device. The Monitor-Block and Mobile Encryption ransomware subgroups are the two largest subtypes. We can easily say that they have more or less similar functions: they can simply affect the screens of your devices and make them inaccessible to you. They make sure they are covered by large ransom-demanding messages that are the same as other ransom-demanding notifications. In general, such a warning informs you that you need to pay a ransom to decrypt the display of any device that has caught the corresponding virus (for example, laptops/tablets/phablets/smartphones). However, the biggest ransomware subcategory is one of the file-encrypting programs like Wannacrypt Ransomware.

Use WiperSoft Malware Removal Tool only for detection purposes. and .

Typical distribution methods:

  • Spam messages (and their corresponding attachments):
    This is a very typical way for ransomware to spread. In such a case, the virus may infect you automatically when you download an infected email or download and/or open any of its attachments. In fact, all types of attached files can be infectious: pictures/documents/.exe files.
  • Fake advertisements and system requests:
    -Pop-up windows that you may encounter on the Internet may be infected. This is why it is extremely important to simply avoid them all, as you cannot distinguish the dangerous from the innocent. In addition, viruses often found on the Internet may display fake system requests that resemble those that your system may produce. Our advice in this case is just check for updates for yourself and don't foolishly click on any pop-up that appears on your screen.
  • Torrents, illegal-software; film/video - video sharing sites and video streaming of web pages:
    They are also one of the most common sources of ransomware. It is important that you download and use only software, movies and videos from trusted platforms for your own cyber security.

What can you do if your computer has caught a dangerous threat such as Wannacrypt Ransomware?

This is perhaps the worst part, as everything you want to do may not be enough - either to encrypt your data or to remove the virus. However, it is possible to find a way to get rid of this virus and the options include:

  • Seeking advice from someone who is an expert to help;
  • Purchasing a license for software that is designed to combat such infections;
  • Finally, what about the verification, removal guide that we have provided to complete this difficult task.

Step 1: Remove Wannacrypt Ransomware related programs from your computer

By following the first part of the instructions, you will be able to track and completely get rid of uninvited guests and clutter:

  1. To complete Wannacrypt Ransomware applications from the system, use the instructions that suit you:
  • Windows XP/Vista/7: Select a button Start and then go to Control Panel .

  • Windows 8: Moved the mouse cursor to the right side, edge. Select Search and start searching " Control Panel" Another way to get there is to right click on hot corner left(simply, start button) and go to Control Panel choice.

How do you get to Control Panel , then find the section programs and select Uninstalling a program . If the control panel has Classical view, you need to double click on programs and components .

When programs and functions/remove the program Windows appears, Take a look at the list, find and remove one or all programs, found:

  • Wannacrypt Ransomware; HD-total plus; RemoveThaeAdAopp; UTUobEAdaBlock; SafeSaver; SupTab;
  • ValueApps; Lollipop; Software version update; DP1815; Video player; Convert files for free;
  • Plus HD 1.3; BetterSurf; Trusted web; PassShow; LyricsBuddy-1; ;
  • Media Player 1.1; Saving a bull; Feven Pro 1.1; Websteroids; Saving a bull; 3.5 HD-Plus; Re-markit.

Additionally, you should uninstall any application that was installed a short time ago. To find these recently installed applcations, click on Installed on section and here the investigation programs based on dates have been established. It's best to look at this list again and remove any unfamiliar programs.

Use WiperSoft Malware Removal Tool only for detection purposes. and .

It may also happen that you cannot find any of the above programs that you advised to remove. If you understand that you do not recognize any untrusted and invisible programs, follow the following steps in this uninstallation guide.

Step 2: Remove Wannacrypt Ransomware pop-ups from browsers: Internet Explorer, Firefox and Google Chrome

Remove Wannacrypt Ransomware pop-ups from Internet Explorer

Based on the tips provided you can have your browsres return to normal. Here are tips for Internet Explorer:


Eliminate Wannacrypt Ransomware pop-up ads from Mozilla Firefox

If the Mozilla Furefox browser on your system is somehow broken due to the entry of viruses, you should restrore it. Restoring in other words means resetting the browser to its original state. Don't worry about how your personal choices on the browser will be secure, such as history, bookmarks, passwords, etc.


Important: how to restore the browser was carried out, be informed that the old Firefox profile will be saved in the folder old Firefox data located on the desktop of your system. You may need it in this folder, or you can simply delete it, as it owns your personal data. In case the reset was not successful, have your important files copied from the specified folder back.

Remove Wannacrypt Ransomware pop-ups from Google Chrome

  1. Find and click on Chrome menu button (browser toolbar) and then select tools . Continue with extensions .

  1. In this tab you can delete any unfamiliar plugins by clicking on the trash can icon. The main thing is to have all or one of these programs removed: Wannacrypt Ransomware, HD-total-plus, SafeSaver, DP1815, video player, convert files for free, plus-HD 1.3, BetterSurf, Media Player 1.1, PassShow, LyricsBuddy-1, Yupdate4.flashplayes.info 1.2, Media Player 1.1, Bull's savings, Feven Pro 1.1, Websteroids, savings bull, HD-Plus 3.5.

* WiperSoft scanner, published on this site, is intended to be used only as a detection tool. . To use the removal functionality, you will need to purchase the full version of WiperSoft. If you wish to uninstall WiperSoft, .

Since May 12, the WannaCrypt ransomware virus has been spreading online, infecting more than a hundred thousand computers in just one day and paralyzing the work of many large companies around the world. In Russia, Megafon, the Ministry of Internal Affairs and the Investigative Committee were infected. In the first hours of the virus's action alone, more than 36,000 computers were infected, with the main impact had to in Russia, Ukraine and Taiwan. In this article I will tell you how players can protect their computer and not become a victim of a large-scale infection.

What does the WannaCrypt virus do?

Once in the system, the virus encrypts all files on the computer and demands a ransom of $300 in bitcoins for access to them. A message about this appears on the desktop. All files that are infected with WannaCrypt stop opening. You will lose access to poker rooms, as well as payment systems where you keep your bankroll. If the ransom is not paid within 3 days, the amount of “treatment” doubles.

How far has the virus spread?

How do I know if I have the patch installed or not?

1. Go to this page on the Microsoft website and see which patch code corresponds to your version of the operating system. For example, for Windows 7 it will be 4012212 or 4012215.

2. Open cmd.exe (command line) and write a request with your code. For example for Windows 7: wmic qfe list | findstr 4012212

  • If there is information about installing an update with a date, you have the patch.
  • If an empty line appears, check the second code (for Win7 - 4012215)
  • If an empty line appears again, you do not have a patch.

You can also check when it was last updated by typing wmic qfe list and looking at the patch installation dates.

How to remove the WCry virus if your computer is already infected?

I don't recommend rushing into this. One of these days there may well be a utility to solve this problem. But there is a standard method of dealing with such viruses. To remove a virus:

  1. Enable safe mode with loading network drivers (F8 on reboot for Win7)
  2. Remove the unwanted application through Uninstall Programs, or better yet, do it using utilities like Malwarebytes Anti-malware.
  3. Recover encrypted files using decryptors from the Kaspersky website.

This method does not guarantee complete recovery of files encrypted by a virus. Therefore, use this method at your own risk.

Play poker and keep your bankroll safe!

As reported by Russian media, the work of departments of the Ministry of Internal Affairs in several regions of Russia has been disrupted due to a ransomware that has infected many computers and threatens to destroy all data. In addition, the communications operator Megafon was attacked.

We are talking about the WCry ransomware Trojan (WannaCry or WannaCryptor). He encrypts the information on the computer and demands a ransom of $300 or $600 in Bitcoin for decryption.

@[email protected], encrypted files, extension WNCRY. A utility and decryption instructions are required.

WannaCry encrypts files and documents with the following extensions by adding .WCRY to the end of the file name:

Lay6, .sqlite3, .sqlitedb, .accdb, .java, .class, .mpeg, .djvu, .tiff, .backup, .vmdk, .sldm, .sldx, .potm, .potx, .ppam, .ppsx, .ppsm, .pptm, .xltm, .xltx, .xlsb, .xlsm, .dotx, .dotm, .docm, .docb, .jpeg, .onetoc2, .vsdx, .pptx, .xlsx, .docx

WannaCry attack around the world

Attacks were recorded in more than 100 countries. Russia, Ukraine and India are experiencing the greatest problems. Reports of virus infection are coming from the UK, USA, China, Spain, and Italy. It is noted that the hacker attack affected hospitals and telecommunications companies around the world. An interactive map of the spread of the WannaCrypt threat is available on the Internet.

How does infection occur?

As users say, the virus gets onto their computers without any action on their part and spreads uncontrollably across networks. On the Kaspersky Lab forum they point out that even an enabled antivirus does not guarantee security.

It is reported that the WannaCry ransomware attack (Wana Decryptor) occurs through the Microsoft Security Bulletin MS17-010 vulnerability. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program. All Kaspersky Lab solutions detect this rootkit as MEM:Trojan.Win64.EquationDrug.gen.

The infection supposedly occurred a few days earlier, but the virus only manifested itself after it had encrypted all the files on the computer.

How to remove WanaDecryptor

You will be able to remove the threat using an antivirus; most antivirus programs will already detect the threat. Common definitions:

Avast Win32:WanaCry-A , AVG Ransom_r.CFY, Avira TR/FileCoder.ibtft, BitDefender Trojan.Ransom.WannaCryptor.A, DrWeb Trojan.Encoder.11432, ESET-NOD32 Win32/Filecoder.WannaCryptor.D, Kaspersky Trojan-Ransom.Win32.Wanna.d, Malwarebytes Ransom.WanaCrypt0r, Microsoft Ransom:Win32/WannaCrypt, Panda Trj/RansomCrypt.F, Symantec Trojan.Gen.2, Ransom.Wannacry

If you have already launched the threat on your computer and your files have been encrypted, decrypting the files is almost impossible, since exploiting the vulnerability launches a network encryptor. However, several options for decryption tools are already available:

Note: If your files were encrypted and there is no backup copy, and existing decryption tools did not help, then it is recommended to save the encrypted files before cleaning the threat from your computer. They will be useful if a decryption tool that works for you is created in the future.

Microsoft: Install Windows updates

Microsoft said that users with the company's free antivirus and Windows System Update enabled will be protected from WannaCryptor attacks.

Updates dated March 14 fix the system vulnerability through which the ransomware Trojan is distributed. Today detection was added to the Microsoft Security Essentials/Windows Defender antivirus databases to protect against a new malware known as Ransom:Win32.WannaCrypt.

  • Make sure your antivirus is turned on and the latest updates are installed.
  • Install a free antivirus if your computer does not have any protection.
  • Install the latest system updates using Windows Update:
    • For Windows 7, 8.1 From the Start menu, open Control Panel > Windows Update and click Search for Updates.
    • For Windows 10 Go to Settings > Update & Security and click "Check for updates"..
  • If you install updates manually, install the official Microsoft patch MS17-010, which addresses the SMB server vulnerability used in the WanaDecryptor ransomware attack.
  • If your antivirus has ransomware protection, turn it on. We also have a separate section on our website, Ransomware Protection, where you can download free tools.
  • Perform an anti-virus scan of your system.

Experts note that the easiest way to protect yourself from an attack is to close port 445.

  • Type sc stop lanmanserver and press Enter
  • Enter for Windows 10: sc config lanmanserver start=disabled , for other versions of Windows: sc config lanmanserver start= disabled and press Enter
  • Restart your computer
  • At the command prompt, enter netstat -n -a | findstr "LISTENING" | findstr ":445" to make sure the port is disabled. If there are empty lines, the port is not listening.

If necessary, open the port back:

  • Run Command Prompt (cmd.exe) as administrator
  • Enter for Windows 10: sc config lanmanserver start=auto , for other versions of Windows: sc config lanmanserver start= auto and press Enter
  • Restart your computer
Note: Port 445 is used by Windows for file sharing. Closing this port does not prevent the PC from connecting to other remote resources, but other PCs will not be able to connect to the system.

Over the past few days, the news has been frightening us with headlines about the massive infection of computers around the world with the WannaCrypt virus (Wana Decrypt0r 2.0). Russia was no exception; the computers of many companies and government organizations were infected. We are accustomed to treating news as something distant, something that cannot affect us in any way.

This time everything is different, the WannaCrypt virus (Wana Decrypt0r 2.0) affects any computer. Moreover, to become infected, you do not need to download and run suspicious files or visit dubious sites. WannaCrypt (Wana Decrypt0r 2.0) exploits a bug in Microsoft Windows operating systems; it is enough to infect one computer on the local network and within an hour all the others will be infected, unless a special update is installed on them.

The update itself, which provides protection against WannaCrypt (Wana Decrypt0r 2.0), was released by Microsoft back in March; it was automatically installed on all licensed copies of modern Windows operating systems around the world. Only users of old or unlicensed (pirated) systems were left under attack. In some large companies, computers are not updated automatically, but at the command of the administrator. If the March updates were still not installed, the computers of such companies also came under attack, as happened, for example, with the Megafon company.

How to avoid infection with the WannaCrypt virus (Wana Decrypt0r 2.0)

If you are using licensed Windows 10 and periodically see the system updating when you turn off or turn on your computer, then you have nothing to worry about. Your system was automatically and promptly updated, you are not at risk.

If you are using an outdated or pirated copy of the Windows operating system, you urgently need to install a special update. Microsoft has released updates for all versions of Windows, even older ones like Windows XP. Select your operating system version, download and run the update. It will be installed even if you are using a pirated version of Windows.

List of updates for all versions of Windows to protect against the WannaCrypt virus:

If you don't know what version of Windows you have, please check.

The update size is 200-600 megabytes, depending on the version. Download and install the update for your operating system as quickly as possible!

If you have a slow or limited Internet connection and cannot install the update quickly, you can try a workaround:

  1. Run the cmd command line as an administrator (instructions: ).
  2. Copy the following text: Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"
  3. Paste it into the command line and press the Enter key, the system should respond with “OK”.
  4. As soon as possible, install the update from Microsoft.

How to disinfect your computer and decrypt files encrypted with WannaCrypt

We have prepared a separate article on how to cure a computer after infection with the WannaCrypt virus (Wana Decrypt0r 2.0):

If you have any questions or need clarification, write in the comments. We read everything and respond to everyone!

mob_info