Eliminate WannaCryptor Ransomware Virus And Restore .wcry Files (Updated)

WCry (also known as WannaCry or WannaCryptor) is a ransomware which encrypts your files, changes their extensions to .WCRY, .WNCRY and .WNCRYT and asks for a BitCoin payment. It forces you to buy a software called Wanna Decryptor as otherwise the files would be lost.

It first appeared on February 2017 but has been updated and now looks differently than the previous version. It is now harder to remove and might be able to evade some anti malware programs.

There has also been a massive outbreak on May 12, 2017. Thousands of computers have been affected by the new Wanna Decrypt0r 2.0. Read more below.

3 days are given to make a payment or the price will double. After 7 days the ransomware threatens to make your files unopenable forever. However, there is no guarantee that the ransomware creators will provide you with a required decryption key and you might lose both your money and your files. Therefore, we recommend removing the threat yourself and then using alternative ways to recover your files.

Unfortunately, it might be very hard to decrypt .WCRY files. However, a tool has been developed which sometimes is able to successfully recover private key from memory and use it for decryption. If you still have not rebooted your computer after the attack there are chances of recovering your files. DO NOT RESTART YOUR COMPUTER and do not try to remove the virus in such case! First, download this (wanakiwi) tool and follow the instructions on its page. Only if the method is unsuccessful move on to removing the threat.

We also have several alternative methods that you can use if this one fails. Remember to completely eliminate the threat first before moving on to alternative file recovery as otherwise you might cause even more damage.

We have an automatic tool which will remove the virus and protect from similar problems in the future. You can also follow manual guide, however, it does not guarantee protection in the future. This is why we recommend choosing the automatic tool as an easier and more reliable method.


Recommended Method: Download WCry Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is WCry ransomware virus?

Like other ransomware viruses, WannaCryptor encrypts your files using a strong algorithm (in this case AES/RSA) and makes them impossible to open using regular software. It then asks you for a BitCoin payment (for example, 0.3 BTC) and threatens to double the price in case you fail to make it in 3 days. It also warns that after 7 days the files will became impossible to recover.

More and more ransomware viruses seem to employ the new trend of including all instructions in an offline program instead of having a payment website. WCry is no exception as it also does not host any website on the TOR network and has all information available in a window called Wanna Decryptor 1.0. This is done so that all infected users would be able to access the instructions.

The file extensions are changed to .WCRY as soon as they are encrypted. For example, “sample.docx” becomes “sample.docx.WCRY“. Many ransomware related files are also placed across the computer: !WannaDecryptor!.exe, !WannaDecryptor!.exe.lnk, !WannaCryptor!.bmp, !Please Read Me!.txt and more.

UPDATE (May 12, 2017): a massive outbreak of this ransomware has been spotted. Only in a few hours thousands of victims have been affected by the WCry virus. An alleged NSA exploit has been used to target individuals and organizations. Many clinics, electricity and natural gas providers, government institutions and businesses were affected. The ransom note window is named “Wanna Decrypt0r 2.0“. The extensions are changed to .WNCRY and .WNCRYT. The new ransom note files are named “@Please_Read_Me@.txt“.

At the moment there seems to have been two major updates since the launch but there might be more scheduled in the future. The 1.0 version looks similar to 2.0 while the very first one had a completely different color scheme.

WCry ransomware timeline (newest at the top):

  • May 12, 2017. A massive outbreak of WannaCry ransomware. Alleged NSA exploits called ETERNALBLUE and DOUBLEPULSAR, leaked by a group named The Shadow Brokers, have been employed. Thousands of individuals and organizations affected.
  • March 25, 2017. The ransom note application is named “Wanna Decryptor 1.0” and the desktop background is changed to a black wallpaper with instructions. Application color scheme changed to red.
  • Jaunary, 2017. The first version appeared. The ransom note window was titled “Notification” and had a green-blue color scheme.

Current ransom note contains the following text:

Ooops, your files have been encrypted!

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. 
Maybe you are busy looking for a way to recower your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. 
(But you have not so enough time.)
You can try to decrypt some of your files for free. Try now by clicking <Decrypt>. 
If you want to decrypt all your files, you need to pay.

You only have 3 days to submit the payment. After that the price will be doubled. 
Also, if you don't pay in 7 days, you won't be able to recover your files forever.

The virus not only launches a ransom note .exe file but also places several text files called !Please Read Me!.txt. The desktop wallpaper is named !WannaCryptor!.bmp and instructs you to download decryption software from a DropBox link in case an antivirus blocked it:

Ooops, your important files are encrypted.
If you see this text, but don't see the "Wanna Decryptor" window, 
then your antivirus removed the decrypt software or you deleted it from your computer.
If you need your files, you have to recover "Wanna Decryptor" from the antivirus quarantine, 
or download from the address below:
https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1
Run "Wanna Decryptor" to decrypt your files!

One of the main ways for this virus to spread is using spam emails. The infection is disguised as an important attachment and enters your system as soon as you open it. It might also target victims using exploit kits, infected websites and other popular malicious techniques.

Even if you pay the ransom there is no guarantee that you will receive the decryption key. A backdoor might also have been left by the virus creators and more infections might appear later. Therefore, we recommend you to ignore the threats and remove the ransomware yourself.

We have an automatic removal tool which will not only completely eliminate all threats on your system but also protect from viruses in the future. We also have a manual guide for experienced Windows users. However, this option does not guarantee protection afterwards and is not as reliable as the tool provided above.

Unfortunately, we cannot provide you with a reliable decryption software at the moment. Security researchers still have not found a good solution for .WCRY files. However, if your machine still has not been restarted you can try using wanakiwi decryption tool.

We also have several alternative ways which might help you recover the encrypted files. Just remember to completely eliminate the threat before moving on to retrieving your files. We also recommend creating a backup with the encrypted .WCRY files.

Screenshots of WannaCryptor ransomware:

     


 Manual Removal Instructions:

If you still have not restarted your computer after the attack happened, please DO NOT remove the virus yet. First, try using wanakiwi decryptor which sometimes is able to recover your files successfully.

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since WannaCryptor is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

At this point the virus has become so aggressive that we strongly recommend using the automatic tool instead of manually removing the threat. Follow the guide below only if you really know what you are doing!

Step 1:

Find any processes that might be associated with the WannaCryptor ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by scanning these commonly infected processes:

message.exe
wcry.exe
!WannaDecryptor!.exe
@WanaDecryptor@.exe
svchost.exe
taskschs.exe
taskse.exe
taskdl.exe
mssecsvc.exe

Also look for other randomly named .exe files. If you find such file mark down the name as you will need to search for it in Windows Registry later.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several WCry ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

WCry usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus might copy its files to this directory so you might find randomly named .exe, .dll, .bat, .vbs or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Search for the ransomware entries by pressing CTRL + F and entering the file extension name in the search field. For example:

wcry

Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:

wannacry
wannadecryptor
decrypt0r
WanaCrypt0r
wnry

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them (some of them might have been already deleted during the earlier steps):

!WannaCryptor!
wcry.exe
@WanaDecryptor@.exe
WanaCrypt0r

You should also delete “!WannaDecryptor!.exe” but you can make a backup of it on a separate media.

 Decrypting The Files:

If you still have not restarted your computer after the attack happened, please DO NOT. First, try using wanakiwi decryptor which sometimes is able to recover your files successfully.

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for WannaCryptor ransomware file decrypter here: List of currently available decrypters. Currently there is no reliable option but virus researchers might develop a better tool in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a .WCRY decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the WannaCryptor ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.

4 comments on “Eliminate WannaCryptor Ransomware Virus And Restore .wcry Files (Updated)

  1. last week WannaCryptor Ransomware Virus came to my pc and they lock all my files and in i do not know how to fix it, so i reinstall my window but some important data like some pics and video i back it they all are infected with the virus and their extension name .wcry , i had to ask how do i fix just those files?

    1. Hello, unfortunately there is no reliable way to recover .wcry files as there is no official decrypter at the moment. Another drawback is that you have reinstalled your Windows which can complicate the recovery process even further. The best way at this point would be trying file recovery program: http://virusremovalinstructions.com/how-to-recover-lost-files-using-recover-my-files-software/

      Follow the instructions in that link and try recovering the files. You can scan and make a list first to see if there are salvageable files.

  2. I am one of those unlucky ones who got infected today. Two computers were affected… Thanks for the instructions, they helped me a lot. Never seen a ransomware before so it was quite hard for me to know what to do and where to begin.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *