I wrote this article to help you remove WannaCry Ransomware. This WannaCry Ransomware removal guide works for all Windows versions
Multiple ransomware attacks with the speed of light are hitting computers all over the world since Friday. The attacks are exploiting a critical SMB vulnerability exposed in documents that leaked from the NSA by the Shadow Broker group.
The dangerous ransomware is called WannaCry and it was patched by Microsoft (MS17-010) for supported versions of Windows about a month ago.
The reports show that the virus, which is also known as WanaCrypt0r, WCry, Wana Decrypt0r, and WannaCrypt, has hit more than 100 countries in less than 24 hours so far. According to security experts, this is the biggest ransomware attack ever, which attacked hospitals in Britain, the Spanish telecom giant Telefonica, Russian European car makers, banks, and FedEx.
The security experts say that if Windows installations are up to date and fully-patched, they are not in danger. The Microsoft company has already taken the unusual step to provide a security update for users of Windows platforms being in custom support only, including Windows Server 2003, Windows 8, and Windows XP.
“We also know that some of our customers are running versions of Windows that no longer receive mainstream support,” Microsoft said. “That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
According to a spokesman for Barts Health NHS Trust in London, they were experiencing a “major IT disruption” and delays at all four of its hospitals, and the ambulances were being diverted to nearby hospitals.
“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” the chief scientist at Ntrepid Lance Cottrell, said.
Yestreday, a security researcher found a “kill switch” which could prevent the spread of the WannaCry ransomware.
“The ‘kill switch’ was hardcoded into the malware in case the creator wanted to stop it spreading,” MalwareTech said. “This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.”
“This event should serve as a global wakeup call – the means of delivery and the delivered effect is unprecedented,” Rich Barger, Director of Cyber Research at Splunk, said. “While Spain and Russia look to be hit the hardest, other countries including Italy, Portugal, Ukraine and Pakistan look to be affected as well. This is one of the largest global ransomware attacks the cyber community has ever seen.”
Rich Barger also suggested disabling or blocking the SMB v1 service to protect against the attacks, and said firms should consider monitoring for and or mitigating scan behavior on TCP/445, externally and internally.
“Systems requiring real-time interfacing and control influence over physical assets could face safety/critical shutdown, or worse. When thinking about critical services to modern society (power, water, wastewater, etc.), there is a real potential, potentially for the first time ever, where critical services could be suspended due to ransomware. It may be time to rethink critical infrastructure cybersecurity engineering, because if MS17-010 exploiting malware variants are successful, we are clearly doing something wrong,” Owen Connolly said.
To remove WannaCry Ransomware, users should not forget to keep their systems up to date at all times. Also, if already infected, you can use our removal guide to get rid of the dangerous ransomware.
WannaCry Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, WannaCry Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since WannaCry Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: