Home Malware Programs Ransomware Wana Decrypt0r 3.0 Ransomware

Wana Decrypt0r 3.0 Ransomware

Posted: May 25, 2017

Threat Metric

Ranking: 5,600
Threat Level: 10/10
Infected PCs: 34,799
First Seen: May 12, 2017
Last Seen: October 11, 2023
OS(es) Affected: Windows

The Wana Decrypt0r 3.0 Ransomware is a Trojan that performs attacks similar to the WannaCryptor Ransomware, which can encrypt your files to lock them and display messages selling the unlocking method. However, the Wana Decrypt0r 3.0 Ransomware doesn't encrypt any content, making paying a ransom needless entirely. Protect your PC proactively or remove the Wana Decrypt0r 3.0 Ransomware infections after the fact with appropriate anti-malware software and strategies.

Trojans Misusing Names to Get What They Want

With the anti-malware industry placing more attention on the renewed activities of the WannaCryptor Ransomware family (also known as Wcry or WannaCry), victims seeing pop-ups resembling an attack from the same Trojan may lead to obvious, but not always correct, conclusions. New imitators of this threat also are in sight, such as the Wana Decrypt0r 3.0 Ransomware, which doesn't even include any file-encrypting features, so far. However, its close resemblance to other threats with more significant capacity for damaging data could lead to the fruitless payment of ransoms.

Contradicting both its misappropriated brand identity and some title lines on its warnings, the Wana Decrypt0r 3.0 Ransomware targets Chinese users instead of English speakers. While the Wana Decrypt0r 3.0 Ransomware doesn't encode or, in other respects, damage your files, it does display pop-up alerts meant to imitate the Wcry family precisely. The HTML window it loads provides various features for enhancing the ransoming process automatically by pretending to be a symptom of a non-consensual, data-encrypting attack.

Some especially significant elements of that window include a timer that threatens to increase the price of the ransom when it reaches zero, a copy-friendly Bitcoin wallet address and additional encryption warnings in Chinese text. The Wana Decrypt0r 3.0 Ransomware's threat actors are setting their current ransom demands to a surprisingly high 600 USD equivalent in Bitcoins, although, without data encoding to back up the pop-up, the justification for paying such a fee remains slim.

Genuine Solutions to Disingenuous Pop-Up Attacks

The Wana Decrypt0r 3.0 Ransomware's primary security risks come from its potential for disabling other applications automatically or using its pop-up to lock you out of using the Windows interface. While victims should see no real consequences from ignoring the Wana Decrypt0r 3.0 Ransomware's timer, other threats with more internal features are capable of launching similar attacks, triggering actual data loss that's difficult or impossible to remedy. Keeping backups can help protect you from the real members of the WannaCry family and any variants of the Wana Decrypt0r 3.0 Ransomware benefiting from file-encrypting updates.

The Wana Decrypt0r 3.0 Ransomware is a threatening software meant to force you into paying money under duress and is a threat to your PC's safety, even if it doesn't block or delete any files. Its model for circulation and installation has yet to see confirmation, although malware experts often witness Trojans of the same type distributing themselves in e-mail attachments. Anti-malware products with updated databases have the best chances of removing the Wana Decrypt0r 3.0 Ransomware before it loads any attacks against your system.

The high ransoming fees of the Wana Decrypt0r 3.0 Ransomware are implicative of corporations and other business entities being prime targets, but the lack of real encryption points a finger closer towards personal systems. No matter who's under attack, it always pays to verify what's happening 'behind' the scenes instead of taking the word of a Trojan.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SystemDrive%\Users\<username>\AppData\Local\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 529B (529 bytes)
MD5: 205aa5292a4afce1c4f334aefcaa75a2
Detection count: 148
File type: Shortcut
Mime Type: unknown/lnk
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: May 16, 2017
%SystemDrive%\Users\<username>\AppData\Local\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 537B (537 bytes)
MD5: 6ab1ed45c558c94f6422c183bf3ac844
Detection count: 148
File type: Shortcut
Mime Type: unknown/lnk
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: May 16, 2017
%SystemDrive%\Users\<username>\AppData\Local\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 519B (519 bytes)
MD5: 1950672eb3c783acd2b7d8f486a9c4a1
Detection count: 115
File type: Shortcut
Mime Type: unknown/lnk
Path: %SystemDrive%\Users\<username>\AppData\Local
Group: Malware file
Last Updated: May 18, 2017
e498f936eb56fb1f4300d973c1c869fa65e0ae368c74285dfc2feae3ae1a4f4e.exe File name: e498f936eb56fb1f4300d973c1c869fa65e0ae368c74285dfc2feae3ae1a4f4e.exe
Size: 83.11 KB (83112 bytes)
MD5: c1b5e18f78b644d5d59e8958fcfa8b0d
Detection count: 92
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 15, 2017
e28f2ee59621e1d9269213e2b5557b5066945774392b16bde3df9ad077bff107.exe File name: e28f2ee59621e1d9269213e2b5557b5066945774392b16bde3df9ad077bff107.exe
Size: 1.72 MB (1720320 bytes)
MD5: 03f75fc504c9845aaed29fdf66c13238
Detection count: 90
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 15, 2017
%ALLUSERSPROFILE%\zsnfzbrerbpizph269\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: b20d0abbbd33b151075934a547cdd66c
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\zsnfzbrerbpizph269
Group: Malware file
Last Updated: June 6, 2017
%ALLUSERSPROFILE%\gqcktnehgednj257\tasksche.exe File name: tasksche.exe
Size: 3.57 MB (3575808 bytes)
MD5: 11b09e976815c41f4536967787d6c448
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\gqcktnehgednj257
Group: Malware file
Last Updated: June 6, 2017
%ALLUSERSPROFILE%\nwodxtflsnjsr033\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: ffa71e612521932ee898daed0a586f33
Detection count: 70
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\nwodxtflsnjsr033
Group: Malware file
Last Updated: June 6, 2017
c4291ec3eacfd145bbe75d7e7991753f4ea141768f6701e4bef4ca902ed58554.exe File name: c4291ec3eacfd145bbe75d7e7991753f4ea141768f6701e4bef4ca902ed58554.exe
Size: 3.56 MB (3566796 bytes)
MD5: aed6ed89e62f1cb059b5db200f30d203
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 15, 2017
%ALLUSERSPROFILE%\gwqpkjjkpwzc899\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: ba315bad9185efd995355b2753487792
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\gwqpkjjkpwzc899
Group: Malware file
Last Updated: June 6, 2017
%ALLUSERSPROFILE%\xauaixwtx885\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: 43b85807b900680859230a43287f39fd
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\xauaixwtx885
Group: Malware file
Last Updated: June 6, 2017
%LOCALAPPDATA%\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 519B (519 bytes)
MD5: da694aa92d06c170e9bcebc540e3290f
Detection count: 43
File type: Shortcut
Mime Type: unknown/lnk
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 18, 2017
%ALLUSERSPROFILE%\wkhhhoatfsn732\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: 56aeedfe9dbcdbfe6470551e5dbde017
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\wkhhhoatfsn732
Group: Malware file
Last Updated: June 6, 2017
home.exe File name: home.exe
Size: 933.52 KB (933520 bytes)
MD5: 4e259c5a7afe86eb08b45eead12d4af3
Detection count: 32
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ALLUSERSPROFILE%\apmbfairn924\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: 6ed419b84d61aa05e6b37a89190059fe
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\apmbfairn924
Group: Malware file
Last Updated: June 6, 2017
%LOCALAPPDATA%\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 529B (529 bytes)
MD5: 53e70de220df3f2b4f9faf135072d276
Detection count: 13
File type: Shortcut
Mime Type: unknown/lnk
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 18, 2017
%ALLUSERSPROFILE%\yyibsxxiapw107\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: 627699c6661752da27be73f51b745b4f
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\yyibsxxiapw107
Group: Malware file
Last Updated: June 6, 2017
%ALLUSERSPROFILE%\cmgqbluncnykgm824\@WanaDecryptor@.exe File name: @WanaDecryptor@.exe
Size: 307.2 KB (307200 bytes)
MD5: d724ea744f9056565c1dc235b8a37d3a
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\cmgqbluncnykgm824
Group: Malware file
Last Updated: May 16, 2017
%ALLUSERSPROFILE%\vwgkuiulivycc453\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: b8610560190833fc897d8bd425402cde
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\vwgkuiulivycc453
Group: Malware file
Last Updated: May 16, 2017
%ALLUSERSPROFILE%\kdtzmjfktvlgcbn129\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: 0c64bb0a96f555146e2d031be2368305
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\kdtzmjfktvlgcbn129
Group: Malware file
Last Updated: June 6, 2017
%ALLUSERSPROFILE%\swjwogwnbof758\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: b7e9fda158093ef31ba48ab731e991c4
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\swjwogwnbof758
Group: Malware file
Last Updated: June 6, 2017
%LOCALAPPDATA%\@WanaDecryptor@.exe.lnk File name: @WanaDecryptor@.exe.lnk
Size: 519B (519 bytes)
MD5: 5937e9bde4fe727a9d9ba2655f3bf0bf
Detection count: 5
File type: Shortcut
Mime Type: unknown/lnk
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 18, 2017
%ALLUSERSPROFILE%\tpllbkhhclbt164\tasksche.exe File name: tasksche.exe
Size: 3.51 MB (3514368 bytes)
MD5: ca8a5a59e7b3d9518531beba68544370
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\tpllbkhhclbt164
Group: Malware file
Last Updated: June 6, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path!Please Read Me!.txt!WannaCryptor!.bmp!WannaDecryptor!.exe!WannaDecryptor!.exe.lnk@WanaDecryptor@.bmp@WanaDecryptor@.exe@WanaDecryptor@.exe.lnkPlease Read Me!.txtRegexp file mask%temp%\[NUMBERS].wcryt%windir%\00000000.eky%windir%\00000000.pky%windir%\00000000.res%windir%\b.wnry%windir%\b.wry%windir%\c.wnry%windir%\c.wry%windir%\f.wry%windir%\m.wry%windir%\msg\m_[RANDOM CHARACTERS].wnry%WINDIR%\mssecsvc.exe%WINDIR%\mssecsvr.exe%windir%\r.wnry%windir%\r.wry%windir%\s.wnry%windir%\t.wry%windir%\u.wryHKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task SchedulerSOFTWARE\WanaCrypt0rSOFTWARE\WannaCryptorSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task SchedulerSOFTWARE\Wow6432Node\WanaCrypt0rSOFTWARE\Wow6432Node\WannaCryptor

Additional Information

The following directories were created:
%WINDIR%\taskhost%userprofile%\desktop\WannaCry%userprofile%\downloads\WannaCry
Loading...