WannaCash Ransomware

The WannaCash Ransomware is a Russian file-locking Trojan that uses the AES-256 encryption for blocking media, such as Word documents. Besides locking your work, the WannaCash Ransomware also may cover the screen with its pop-up and interfere with your accessing the Windows interface. Use anti-malware products for deleting the WannaCash Ransomware or protecting your PC from infection, and backups or free decryption solutions for any media recovery.

A Trojan that's Taking Over Monitors and Files Alike

Russian file-locking campaigns like those of the thoroughly-analyzed Scarab Ransomware family, the lesser-known JabaCrypter Ransomware, or the WinRAR-abusing RaRuCrypt Ransomware are acquiring more competition. The newest Trojan leveraging encryption for blocking files and extorting money, the WannaCash Ransomware, has no history with any of the above threats. However, it delivers both data-locking attacks and other features that impede the security and accessibility of the compromised computer.

Malware experts are connecting all distribution attempts for the WannaCash Ransomware to illegal gaming cracks, such as key generators and databases, that its victims may encounter on corrupted websites or over a file-sharing network. The installation routine includes showing fake key-registration entries before restarting the computer, which lets the WannaCash Ransomware launch its file-locking attack. This Trojan uses the AES-256 in CBC mode for its encryption routine, and, unlike most of its competition, prepends an 'encrypted' string and parentheses instead of appending an extension – for instance, 'picture.jpg' becomes 'encrypted (picture.jpg).'

The WannaCash Ransomware also loads a pop-up that blocks the desktop while locking the mouse cursor's movement to this window simultaneously. Besides being in Russian, most of the ransoming instructions in the three tabs of this pop-up are ordinary, except for a Yandex-based payment for restoring your files. Since the WannaCash Ransomware's encryption is non-secure and other PC security researchers, are offering their free decryption help already, paying the Ruble fee is not an act that malware experts can endorse.

The Cash Grab that Got Ahead of Itself

Besides any file recovery issues, the WannaCash Ransomware's ransoming method also includes a significant oversight: the fact that Yandex payments could help the authorities trace the identity of the threat actor. The sub-one hundred USD price of data unlocking also further implies that the WannaCash Ransomware's authors have a minimum of experience at managing file-locking Trojans and are targeting equally inexperienced PC users, such as teenagers looking for free games. The Trojan hasn't been seen operating with payload adjustments using non-Russian ransoming components.

Decryption of any files is, as noted earlier, free for the WannaCash Ransomware. However, its author could change the encryption routine at a later date, and updating your external backups is a highly-recommended solution for all Trojans with file-locking payloads. Professional anti-malware protection may block known, unsafe websites or associated content (such as a drive-by-download JavaScript exploit), or detect the Trojan's installer inside of a download, when appropriate. Any users who need to restore the Windows accessibility should reboot with a recovery device or use Safe Mode before uninstalling the WannaCash Ransomware with a trusted security program.

The WannaCash Ransomware's campaign may be destined for brevity, or not. Even if its author suffers imprisonment, the Trojan can continue circulating online and pose a potential danger to anyone who forgets to take care of their files.