The Wannacry Ransomeware is spreading like fire and causing the ruckus everywhere. But, in such a pinch situation the most important thing a user who is infected with the Wana Decryptor or WannaCrypt0r Ransomware should do is promptly eliminate it as soon as possible. Because, even if you aren’t paying them the demanded money, the ransomeware will keep on encrypting new files as you create them by running in the background. This guide will not only teach victims how to remove WannaCry ransomware but also introduce a very easy software for decrypting the infected files. We will provide you with proper knowledge analysis and methods to eradicate the WannaCry Ransomeware.
What is WannaCryptor, WNCRY. WannaCry or Wana Decryptor?
The WNCRY or WananCry Ransomeware is like an in infection for computers which is designed in to encrypt all the files which are vulnerable, so that the user is unable to access them. And, in return, if you want the key for decryption then they demand ransom in bitcoin currency. This program uses an extension i.e WNCRY which performs the encryption of files. As you might have already guessed there is no particular name for this ransomware many reporters and researchers are calling it with multiple names, and every community is calling it by their own given name. But, it’s self-displayed lock screen is titled as Wana Decryptor 2.0 which is why it’s popularly referred as WannaCry Ransomware.
The WannaCry Malware was abundantly spread across the globe on 12th of May 2017, by using NSA’s alleged vulnerability called as the ‘Eternal Blue’. Which was recently leaked on the Internet by a hacking group aliased The Shadow Brokers. After which it spread like a storm and infected many big operators like Chinese Universities, Telefonica, and the Interior ministry of Russia. And has spread across 150 countries infecting over 400 thousand computers worldwide.
How is WannaCry Spreading so Fast?
The WannaCry which was running anonymously in the dark was first spotted a few weeks ago by the MalwareHunter Group but at that point it was still under development period. But, after this it exploded and spread through the ETERNAL BLUE exploit. This spreads with the help of a worm which have the Samba 445 TCP port accessibility which scans internet for windows servers.
This ransomware is spreads through a Worm executable that scans the Internet for Windows servers that have Samba TCP port 445 accessible. This port is the SMB port that the ETERNALBLUE exploit uses to gain access to a computer. When the Worm gains access to a computer it will create a new copy of itself & execute the program on infected computer.
This worm connects to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. And if it fail to connect, then the Worm will simply exit. The domain acts as a kill switch and was accidentally discovered while a domain was registered to get the statistics on infections by a security researcher.
If the worm fails to connect to this domain, a protected zip file is extracted as the worm program which consists the ransomeware. After which it starts operating and encrypting all the victim’s files
There is reason to worry, even if your computer is safe, the virus is spreading like a zombie, you need to take prevention so it won’t harm your system. First, install the antivirus on system, Mobile, Android and iPhone Devices. Do not open any suspicious mail, and don’t download file without scanning. Also update your device with the latest version of OS.
Method to Remove RensomWare Virus or WannaCry Virus
Step 1. Make every Files and Folder Visible
From experience we know that the malware is not visible at first. So we have to make sure that all the files in our system must be visible. So there must be no hidden files in your computer. For achieving this, we have to make all the hidden files visible by going into the “Folder Option” in our system. This “Folder Option” can be found out by going to the Control Panel.
After going to the control Panel we have to go to Appearance & Personalization. From there we can go to the Folder Options. Then we have to switch onto the View tab. Here you will find an option “Show hidden files, folders, and drives”. We have to check this option. On applying the settings, the malware is visible.
Step 2. Rebooting the PC in Safe Mode
Making all the files and folders Visible was the first step. Now we have to Restart our windows in the Safe Mode. This serves as the basis for the second step. So how to enter into the Safe Mode?
The answer is pretty much simple and straight forward. Once you have clicked on Restart, your system will be restarting. Now during the rebooting process, we have to press the F8 key in subsequent intervals of 1 sec. After doing it for a few times, the normal boot process is stopped and we can see the Advanced Boot options. Then we can see the “Safe Mode” option. We can use our arrow keys to navigate to this option. Now on pressing Enter, we can start our PC in Safe Mode.
Step 3. End all the Suspicious Malware Processes Running on your Computer
Once we are in the Safe Mode we can find out the processes that are suspicious. As we know a process is a program in execution. Since this Wannacrypt ransomware is a malware program and it has been unconsciously executed on our system, the only possible way to stop it is to stop any associated process.
So for finding this information, we have to start the Task Manager. There are several ways of doing it. Either press ctrl + shift + esc key. Or you can press ctrl + alt + del and from there choose taskbar. Or you can simply run taskmgr command in the Run Window.
Here we have to manually examine all the suspicious processes which are running in our system. We have to terminate it by right clicking on it and then clicking on “End Process”. This way we can possibly stop it. So don’t think much before ending a process. Just end every kind of process that you are finding suspicious. In this way you can get rid of the malware.
There are various types of processes which are suspicious. You can now find them online. Take the help and end each and every one of it.
Step 4. Preventing the Wannacrypt Ransomware from Booting
Now this step deals in completely cleaning your system. It is because we have to prevent Ransomware from booting. Otherwise our pc will remain infected. For achieving this, we have to remove this from msconfig. We can open it by the following steps.
- Press on Windows and R at the same time to open the Run window.
- Here we have to type msconfig and then click on enter.
System Configuration windows has been opened now. For a smooth or malware free booting, all the malware files and processes must be deleted from the system. We have to now go to th Startup tab. There we can find multiple entries for startup processes. We have to uncheck the options that are from an unknown manufacturer and can be possibly a malware.
On applying the above changes, our system can be restarted on a normal way. This way we can ensure that all the Ransomware Virus has been completely eradicated from the system. Unless it has been done, we can’t proceed to have our data back because of the malware.