WanaDie virus - How to remove

WanaDie ransomware virus is another cheap imposter of WannaCry crypto-malware. Differently from the original infection, the poor-quality copy is loosely based on Hidden Tear open source project like so many other ransomware-wannabes. Many popular security tools already recognize its payload of wndi.exe as malicious and offer its immediate removal. In addition to this, this infection is inspired by Mr. Robot TV series. Just like FSociety, WanaDie crypto-malware features a logo of a joker which was seen on one of the Mr. Robot episodes. This is not the first time when hackers used these TV.

A more detailed investigation of WanaDie crypto-virus

According to concluded analysis (VirusTotal), WanaDie ransomware is probably still in development since it does not encrypt files and has many grammatical errors in the ransom notes. The infection modifies users’ desktop backgrounds and launches a special window called “Wana die decrypt0r”. All of the information is written in the Russian language. This means that Russian-speaking users are targeted as potential victims. In addition to this, we have reason to believe that this infection is a new project from CryptoWall authors.

WanaDie ransomware

This WannaCry Imposter ransomware should append .wndie extension to data it encrypts. Based on the investigation, the malware (if fully functional), would encrypt files with AES and SHA-256 algorithms. However, since the ransomware does not appear to not be fully operational, it does not pursue file-encryption. Furthermore, its payload can also be WannaDecrypt0r.exe. The ransomware (Rise) would target these file-types: .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dt, .DT, .dt, .ged,. hbk, .hbk, .htm, .html, .key, .keychain, .md, .pps, .ppt, .pptx, .sdf, .tar, .tax2014, .tax2015. In total, 41 extension is a potential casualty.

This is not the first time that wannabe-hackers are copying some more successful ransomware projects. For instance, Globe virus has many Globe Imposters that wish to profit.

At the moment there is no reason to be worried about becoming infected with this virus. Since it does not encrypt data, hackers will have no advantage. Therefore, they won’t be able to demand the ransom. If the WanaDie crypto-virus would become fully functional, victims would have 7 days to make a transaction. After the first three days, the payment will double.

WanaDie virus

Ransomware decryption and other related aspects

Even though WanaDie virus does not encode files now, it might start doing this anytime. If you become infected with a fully operational version, please contact security researchers and inform them of a new threat. Even if your files become encrypted, avoid paying the ransom as this is never the right way to go. Hackers might leave your files ruined and you will have wasted significant amounts of bitcoin for no reason.

It might be that a free decryption tools is going to be introduced for this infection. In addition to this, there are other methods that might used for the file-decryption. For instance, victims can try universal file-recovery tools. However, the most promising option is retrieving data from backup storages. Sadly, not all people upload their executables in these utilities. If you do, these file copies are protected in case the original version become unavailable or encrypted.

Methods that ransomware can transmit

One of the most popular techniques for ransomware distribution is the malspam (For). It basicaaly refers to emails that feature potentially dangerous attachments or links. Therefore, it is important to be careful. Do not download files from unknown senders. Additionally, people can become infected with crypto-viruses due to users’ interactions with pop-up ads.

If you click on a random ad, it could be that the hacker receives and opportunity to implant malware into your operating system. Not only can the crooks monitor your online activity, but they can also implant ransomware into devices. Lastly, please protect your RDP: this is one of the ways that ransomware can slither inside too.

If you are worried about the condition of your device, we suggest you get some more help. You should install an anti-malware tool to protect you from harm. For instance, Spyhunter can certainly help you stay malware-free.

How to recover WanaDie virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Wana die decrypt0r virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of WanaDie virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Wana die decrypt0r virus. You can check other tools here.  

Step 3. Restore WanaDie virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Wana die decrypt0r virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover WanaDie virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *