How to remove Wana Decrypt0r virus and restore .WNCRY encrypted files

Wana Decryptor exploits Windows vulnerability and infects users computer without any visible activity. After computer penetration, victim can see background that remind him that the files were encrypted. Additionally, there are pop-up window with information about virus. We try to answer next questions: how to delete Wana Decrypt0r and restore the encrypted data.

 

Wana Decrypt0r ransomware virus

 

The virus gets on your machine through malicious additions in electronic mail or through 445 internet port, and after that straight begins to encode folders. If you didn't manage to stop the virus before it got in, then your files will be encrypted. Wana Decrypt0r encodes all file types, including video, text, images and audio. The encoding takes from five minutes to several hours. Encoding speed might vary depending on the computer capacity and the number of information stored on it. The amount of payment is 300 USD and if you have not pay for three days sum will be doubled. And after 7 days criminals threaten to delete files.

Ransomware is the very dangerous kind of viruses that may be faced by the user. Most of viruses only call discomfort, and the fruits of their actions can be eliminated in few minutes, but ransomware brings major harm, and in most cases, you need to spend funds and time to fix it. The very malicious of all is the encrypting ransomware, like Wana Decrypt0r, which makes greatest gain to its developers, and major losses to its victims.

 

Encrypted files

 

The majority of ransomware apply extremely complex encryption algorithms like AES-128 and RSA-2048, which easily protect the files of countries, secret services and big corporations. Wana Decrypt0r isn't an exception. This means that you only have single absolutely reliable method to recover the files: to use the backup. The absence of backups mean that you can forget about your files, because you cannot be sure that hackers, which stolen your files, won’t trick you one more time when the payment will be received. Your data may be decrypted in few ways, but they aren't absolutely efficient.

File restore is the main objective, which you care about, if your files were infected by the encrypting virus. Nonetheless, the virus should be removed to protect new files. It does not matter which recovery technique you choose, you still have to eliminate Wana Decrypt0r. Using the manual decryption or the backups load, you must delete Wana Decrypt0r ASAP, and if you prefer to pay those criminals - Wana Decrypt0r must be deleted before the complete data recovery. The removal can be performed with use of special antivirus program, or in manual mode. Swiftness and reliability of both manners are identical, but the requirements for your experience and knowledge are extremely different. 

How to remove Wana Decrypt0r Virus

 

 

 

Step 1. Disable 445 internet port

 

Start command line as administrator.

  • Press Start
  • Type Cmd and Run it As administrator
  • Type Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"
  • press Enter

Step 2. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1

 

  • Select Boot tab

Safe mode. Step 2

 

 

  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode

 

Step 3. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1

 

  • Select Appearance and Personalization

Show hidden files. Step 2

 

  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3

 

  • Press Ok

 

Step 4. Remove virus files

 

Check next folders to find suspicious files:

  • %TEMP%
  • %APPDATA%
  • %ProgramData%

 

Step 5. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder

Hosts_file_location

 

  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:

Hosts_file

 

Step 6. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 7. Scan computer with antivirus

 

You can use Avast, Dr.Web, Emsisoft or other trusted antivirus. We can suggest Spyhunter as antivirus tool.

 

Download Spyhunter - Anti-malware scanner

Why we recommend SpyHunter

Spyhunter removes malware fully

It protects the system against all kinds of threats: viruses, adware and hijackers

24/7 Free Support Team

More about Spyhunter: User manual, System requirements, Terms of service, EULA and Privacy policy


 

Step 8. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

Step 9. Update Windows

 

This is very important step that can help you to prevent new infection!

How to restore files encrypted by Wana Decrypt0r

If you did not reset your system after encryption, you can run these decryptors:

For Windows XP: https://github.com/aguinet/wannakey

For Windows XP, Windows 7, Vista, 2003 and 2008 server: https://github.com/gentilkiwi/wanakiwi/releases

 

In this guide we have told few times that the customer whose system is captured with ransomware has only one 100% efficient technique to recover data: to load the backups. You should try other manners if you have no option, but be prepared that they might fail. The only advantage of backups is that they are kept on an external drive, and aren't sensitive for viral exposure.

All other ways depend on the Windows in-built services, and their efficiency may be lowered by the complexity of the ransomware and the lack of skill. Anyway, except the backup copies, and the paying of ransom, there are two complementary ways to recover your files. They are: Shadow Volume Copies service and the decryption with help of special decryption program. Decryption using the special decryptor is quite effective, but unfortunately, this tool does not yet exist. News on the progress in the developing of such program can be found on Kaspersky lab, MalwareHunterTeam and EmsiSoft official sites. By-hand restore via shadow copies can be done without any preparation. You may use the basic functionality of Windows OS, but, we offer you more comfortable programs that will significantly simplify your task. These programs are completely toll-free, and they were made by reliable developers. Their names are ShadowExplorer and Recuva, and you may find more information on the official websites.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1

 

  • Click System and Security

Decrypt files. Step 2

 

  • Select Backup and Restore

Decrypt files. Step 3

 

  • Select Restore files from backup
  • Select checkpoint to restore

 

 

 

 

 

Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code
Refresh

 Norton_scan_results

Google_SafeBrowsing_scan_results

AVG_Scan_results

What is HoeflerText and is it dangerous?

 

This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.

 

Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

White Ops unveiled the biggest botnet ever, called Methbot

White Ops cyber-security company revealed the largest botnet in history, called Methbot. In this article you’ll find full information about the net, its width and possible methods to shut it down.

CryptoMix ransomware adds .lesli extensions to files

 This brief article about CryptoMix .lesli ransomware will help you to understand what is ransomware, how you can avoid it, and how to remove it if it’s already on your PC.

 

 

This website uses cookies to improve your experience