Wanna Cry Virus Removal (+Recover Files)

How to Remove Wanna Cry Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Your important files are encrypted.
    Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.


There’s a new cyber threat, plaguing users, called Wanna Cry. The aptly named infection is of the ransomware variety. Many have complained about the tool. About how it infiltrated their system, corrupted it, and extorted them for money. And, in a nutshell, that’s how ransomware applications work. They invade via slyness and subtlety. Then, once inside, they take over. And, before you know it, your files get locked and become inaccessible. You get greeted with a message on your Desktop, as well as in all the folders, affected by the threat. It explains your predicament. States that you’re dealing with a ransomware. And, it reads you have two choices. You can either comply and pay the ransom to get your files back or not. It’s as simple as that. The infection claims tat upon receiving payment, it gives you the decryption key, you need. Apply it, and your files are free. But, in actuality, it’s not as simple as the cyber threat makes it out to be. You have no guarantees that compliance leads to positive results. None. If you pay, you will be relying on cyber criminals to keep their word. That’s quite the oxymoron, wouldn’t you agree? They can double-cross you every step of the way. After you pay, they can choose not to send you a key. Or, they can send you the wrong one. And, even if you get the proper one, and it works, what then? You still have a ransomware tool, lurking on your PC. The decryption key, you paid for, only remove the encryption. Not the threat itself. The threat remains. And, it’s free to strike again at any moment it so pleases. Don’t go that path. Do not comply. It’s a tough choice to make, but experts advise towards option two. Don’t pay. Discard your data. It’s the lesser of two evils.

How did I get infected with?

The Wanna Cry menace uses trickery to invade your PC. It turns to the old but gold means of infiltration. More often than not, it hitches a ride with spam email attachments. It’s imperative to look at every email you receive with a grain of salt. Do not open any emails from unknown or suspicious senders. And, if you do, do NOT download anything attached! Other common methods include hiding behind freeware or corrupted links. Also, it can pretend to be a bogus system or program update. Like, Adobe Flash Player or Java. Whichever way it goes, there’s one final frontier it has to pass before successful invasion. You. If you’re cautious enough, you can catch it in the act. And, prevent its admission. But if you give into naivety, distraction, and haste, the odds of its success increase. And, again, you have a choice to make. Do your due diligence when allowing tools or updates into your system. Or, throw caution to the wind, and hope for the best. Note that the latter strategy almost always results in infection installs.

remove Wanna Cry

Why is Wanna Cry dangerous?

It’s not only because of uncertainty that experts lean towards not paying the extortionists. Yes, you cannot trust them to hold their end of the bargain. That’s a given. But there’s more to it. If you pay them, you risk your private life to no longer stay private. Let’s elaborate. When you transfer the requested sum, you leave private information. You provide personal and financial data. Data, which the cyber kidnappers can reach. Do you see our point? These strangers get a hold of your private information. And, can then use it as they see fit. Do you think that ends well for you? Don’t expose your privacy to strangers! Your files aren’t worth that great of a sacrifice. Choose privacy over data. One is replaceable. The other is not.

Wanna Cry Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Wanna Cry Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Wanna Cry encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Wanna Cry encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment