I wrote this article to help you remove Wincry Ransomware. This Wincry Ransomware removal guide works for all Windows versions.
Wincry ransomware, also known as WannaCry ransomware, is an encryption virus which made the news last Friday. The win-locker was distributed through an unprecedented campaign which saw a record number of devices getting infected. According to reports, over 200,000 machines from 150 countries fell victim to the infection. Wincry ransomware is a typical win-locker. Upon entering the targeted system, it scans the hard disk drive for vulnerable files and encrypts them with the use of a cipher. The cyber criminals behind the attack demand victims to pay a ransom in order to have their data unlocked.
Security researchers were able to find out how the people behind Wincry ransomware launched the attacks. The clandestine program exploits a critical SMB vulnerability which was exposed in leaked NSA documents. A hacker group called Shadow Broker made the revelation a month ago. This flaw allows the win-locker to gain entry into a targeted computer without having to seek help from a host file. Upon learning about the threat, Microsoft took action and created a patch. The fix was filed as MS17-010. Pursuant to the large scale attack, the company devised special updates for the Windows builds which are no longer supported.
If you are among the people who have contacted Wincry ransomware, you would be unable to open your text documents, databases, images, archives, zipped folders, presentations, videos, audios, logs, scripts and other types of files. You will notice that the inaccessible objects have the .WNCRY suffix appended to their names. Since Wincry ransomware needs your cooperation, the rogue program will make sure you are aware of its presence. It will display a lock screen on your desktop. The window functions as a ransom note, although there is a note in all folders which contain encrypted data. The physical version of the ransom message is titled @Please_Read_Me@.txt.
The cyber criminals provide a detailed explanation. They begin by stating what Wincry ransomware has done and for what reason. The note continues by elaborating how the encryption can be undone. Finally, the attackers list their demands. They have decided not to disclose which cipher they use to perform the encryption. Experts will need to analyze the win-locker before they can give an answer. The lock screen is actually the program window of the decryptor which goes together with the virus. The tool is dubbed Wana Decrypt0r 2.0. To activate it, you have to pay a ransom of $300 USD.
As stated, the required amount has to be paid in Bitcoins. This is a cryptocurrency which is traded exclusively online. For security reasons, most ransomware vendors choose Bitcoins as the payment method. The platforms which sell them are regulated under a universal set of rules. They do not ask users to provide personal details. Another measure which works in their favor is that the transaction cannot be traced to the bank account of the recipient. The proprietors of Wincry ransomware do not face the risk of getting tracked down.
Victims are given an ultimatum, as the hackers have set a tight deadline for completing the payment. The stated sum has to be paid within 3 days. If you miss this deadline, you will have to pay double. Still, a transaction needs to be made within 7 days after the encryption has occurred. Afterwards, the decryptor gets deactivated. There are countdown clocks for both periods. Wincry ransomware keeps victims updated on the time they have left to pay either the original ransom or the increased amount. There is a light at the end of the tunnel for poor users who cannot afford to meet the stated demands. The developers of Wincry ransomware have promised to hold free events in 6 months’ time.
Ultimately, the only sure way to have the problem solved is by uninstalling the win-locker from your computer. Paying the cyber thieves does not guarantee that they will decrypt your files and remove Wincry ransomware from your system. After you have deleted the virus, you can try to recover your files from their shadow volume copies. There are guides below to help you dispose of the insidious program and attempt a recovery.
Wincry Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Wincry Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Wincry Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: