Tips For Deleting WannaSmile Ransomware & Decrypting Files

Delete WannaSmile Ransomware

Researchers Analysis Report on WannaSmile Ransomware

WannaSmile Ransomware is a newly released ransomware that emerged on the November 16th, 2017. According to the experts of cybersecurity, this variant of ransomware is based on Zcrypt Ransomware that was spotted in the June 2016. Newly released ransomware appears that the creators of Zcrypt ransomware have been improving their all products and changes their distribution network. Similar to the other ransomware it's intrusion method and file encryption procedure is same but the difference is that it uses .wsmile file extension to encrypt files. This ransomware is mainly attack the System users on Arabian Peninsula but it does not mean that it cannot infect your PC.

File Encryption Procedure of WannaSmile Ransomware

According to the security expert's analysis report, it executed as "WannaSmile.exe" on the infected Systems and communicated with the hacked sites that mainly used to hide the people's identity. It is known to encrypt almost all file types including presentations, images, text, audios or videos, eBooks, spreadsheets, databases and much more on the compromised sites. The enciphered data and object is really very easy to be organized because it basically add ".Wsmile" file extension to the end of file names. Once locking files, it makes them inaccessible and prevent user from accessing them normally. After that it changes the desktop background to a black screen that mainly features a text which is written in the Persian language. The generated html file can be easily identified because it entitled as "How to decrypt files.html". The screenshot of ransom messages as follow :

Dealing Method of WannaSmile Ransomware

The creators of WannaSmile Ransomware are basically uses "[email protected]" account to contact the System user who may want to decrypt files. By displaying scary message, hackers often ask victim to contact with hackers and make payment of 20 BTC but unfortunately there is no any guarantee that you will get the free decryption key even paying after the ransom fee. File retrieval is possible using the backup but to keep valuable data safe, you should follow the provided removal instructions to delete WannaSmile Ransomware from your compromised machine rather than making a deal with hackers.

Propagation Channels of WannaSmile Ransomware

Being a member of the ransomware category, WannaSmile Ransomware is usually promoted using the fake software updates, third-party software download sources, spam emails and much more. It often penetrates inside the Windows PC secretly by open System backdoor. The spam emails are really one of the most common way of infiltration because it contains malicious attachments. Downloading of any malicious attachments or responding of any spam messages may lead your PC to such an infection. Besides, it can also infect your Windows System through exploit kits, P2P file sharing network, infected external devices, drive-by-downloads and much more.

Free Scan your Windows PC to detect WannaSmile Ransomware

rmv-notice

Remove WannaSmile Ransomware From Your PC

Step 1: Remove WannaSmile Ransomware in Safe Mode with Command Prompt

  • First of all disconnect your PC with network connection.
  • Click restart button and keep pressing F8 key regularly while system restart.

F8-keyboard

  • You will see “Windows Advanced Options Menu” on your computer screen.

Windows Advanced Options Menu

  • Select “Safe Mode with Command Prompt” and press Enter key.

safe mode with command promt

  • You must login your computer with Administrator account for full privilege.

daver

  • Once the Command Prompt appears then type rstrui.exe and press Enter

picture6

  • Now follow the prompts on your screen to complete system restore.

Step 2: Remove WannaSmile Ransomware using MSConfig in Safe Mode:

  • Power off your computer and restart again.
  • While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.

F8-keyboard

  • Use the arrow keys to select “Safe Mode” option and press Enter key.

Safe mode

  • Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.

msconfig01

  • Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

  • Disable all the malicious entries and save the changes.
  • Now restart your computer normally.

Step 3 : Kill Malicious Process Related To WannaSmile Ransomware

  • Press Alt+Ctrl+Del buttons together.

ctrl+alt+del

  • It will open the Task manager on your screen.
  • Go to Process Tab and find WannaSmile Ransomware related process.
  • Click the End Process Now button to stop the running process.

Step 4 : Remove WannaSmile Ransomware Virus From Registry Entry

  • Press “Windows + R” key together to open Run Box.

Win+R

  • Type “regedit” and click OK button.

Type-regedit-to-open-registry

  • Find and remove WannaSmile Ransomware related entries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Now hopefully you have completely removed the WannaSmile Ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.

Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the WannaSmile Ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.

freescan1

If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.

footer-1