Home Malware Programs Ransomware WannaPeace Ransomware

WannaPeace Ransomware

Posted: November 30, 2017

Threat Metric

Threat Level: 8/10
Infected PCs: 97
First Seen: March 12, 2022
Last Seen: March 29, 2022
OS(es) Affected: Windows

The WannaPeace Ransomware is a file-locking Trojan that can block the data on your PC, such as text documents, compressed archives, or images, with a cipher. Although this function takes time to finish its attack, the Trojan distracts the user by displaying a fake Adobe software-themed pop-up until it completes the payload. While blocking this threat upfront with appropriate security protocols is the recommendation of malware analysts, some anti-malware programs also can detect and uninstall the WannaPeace Ransomware after the infection.

A Reading of the Worst Kind of Document

After the Curumim Ransomware, the BugWare Ransomware, and other, file-locking Trojans, Brazil is nowhere near being safe from the attacks of Trojans trying to block media in return for money. At least one new threat actor is starting another campaign in the same vein at the end of November, which delivers messages specific to Brazilian users and covers for itself with a disguise misrepresenting a legitimate brand of software. Unlike similar threats, the WannaPeace Ransomware doesn't merely use a fake file name and, instead, embeds an Adobe PDF tactic directly into the same payload that it uses for the rest of its features.

For the moment, the WannaPeace Ransomware attacks only the files on a 'testes' folder on the infected PC, which is a common precaution that threat actors implement for limiting the damage to their test environment systems. It blocks a range of file formats within that folder by encrypting them and adds the '_enc' string to any already-present extensions (instead of creating a new one). This feature isn't instantaneous, but the WannaPeace Ransomware conceals its activities by displaying a fake Adobe PDF-loading screen for Reader XI.

The threat actor is trying to generate money from these attacks with an HTML application-based pop-up, which offers to sell the victims a decryptor and unblock their files. The message employs poorly-translated Brazilian Portuguese, multiple timer-related warnings, and a simple, Bitcoin currency interface. The ransom note also claims that all the money will go towards the victims of an unspecific war, almost certainly, as additional, emotional leverage to encourage quick payments.

Closing the Book on Fake PDF Texts

Even though Adobe-brand disguises are very archetypal for different families of file-locker Trojans, malware experts often find that these tactics confine themselves to the names of the installers. By placing its hoax in the payload, along with its data-enciphering and pop-up features, the WannaPeace Ransomware delivers a multi-featured attack that distracts its victims actively instead of relying on them not paying attention to the activities of a program on their PC. Brazilian PC users should be especially cautious about opening potentially fake PDF documents that they find attached to unexpected e-mail messages, which are a favorite infection strategy for Trojans of this classification.

There is no decryption software available for unlocking any files that the WannaPeace Ransomware encodes currently. A reconfiguration of this threat's payload for attacking other directories could occur at any point, and malware experts strongly endorse having a prepared and rigorous backup schedule in place for protecting your media. Otherwise, removing the WannaPeace Ransomware as soon as possible with appropriate anti-malware tools is the only way of keeping documents and other content from becoming unreadable.

With very few anti-malware solutions identifying the WannaPeace Ransomware as a threat, this Trojan is a working showcase of how a cybercrook can avoid a PC's security, both regarding software and the user. Updating your anti-malware programs whenever they provide patches to their databases can keep a file-locking campaign from getting the jump on your data.

Loading...