WannaSmile Ransomware
Posted: November 21, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 9,385 |
|---|---|
| Threat Level: | 8/10 |
| Infected PCs: | 356 |
| First Seen: | September 29, 2021 |
|---|---|
| Last Seen: | October 11, 2023 |
| OS(es) Affected: | Windows |
The WannaSmile Ransomware is a new version of the zCrypt Ransomware, a Trojan family that hides its file-locking attacks behind a fake Windows error. Similarly to most file-locking Trojans, the WannaSmile Ransomware also creates symptoms corresponding to demands for payment to unlock your media, which it does by ransoming the decryption software for Bitcoins. Besides advocating the protection provided by backing your files up to safe locations, malware experts only can encourage removing the WannaSmile Ransomware as quickly as possible with an appropriate anti-malware product.
The Smile that Will Cost You a Fortune
The relatively non-publicized zCrypt Ransomware, a Trojan identified from its attacks against Russian businesses previously, appears to be branching out into a new version. This secondary build is one that malware experts can confirm as creating messages implying attempted attacks against Iranians, although many of its components also include English content. Ultimately, regardless of the region under attack, the new the WannaSmile Ransomware's goals still are to block the files of its victims before forcing payments of Bitcoins from them.
Although malware researchers can't yet corroborate whether or not the WannaSmile Ransomware still uses zCrypt Ransomware's original tactic of hiding its payload behind fake CD-DVD drive errors, the Trojan does include the same style of file-locking attack. This feature encrypts different files on the infected PC using an AES algorithm and, then, obfuscates the process behind a second, RSA-based cipher. The WannaSmile Ransomware's threat actors are providing the new '.WSmile' extension to any affected content (for instance: 'document.doc.WSmile') instead of the family's original one.
Most of the WannaSmile Ransomware's files use English names, but the ransoming message it drops after blocking the user's media is in Iranian Persian. The most unusual detail of this note is its demand for an incredibly high payment of twenty Bitcoins for the file-unlocking solution, with an additional increase of one Bitcoin per day past a five-day time limit. This number makes the WannaSmile Ransomware one of the most costly of file-locking threats of all time, with accompanying implications that the threat actors are targeting multinational corporations or spent no time researching their cryptocurrency valuations.
Taking the Smile Off an Iranian Trojan
The zCrypt Ransomware family comes with some default features that could assist with the ransom-tracking process and a possible decryption routine, but paying a cybercrook's fee for file-unlocking services always is risky. The hundreds of thousands of dollars in Bitcoins that the WannaSmile Ransomware requests may not come with a matching decryption response from the threat actor, and malware experts, additionally, discourage rewarding cybercrooks for breaking the law. Backing up your media to a protected device always is the best protection against a file-locking threat of any type.
File-locking Trojans may come attached to spam e-mail campaigns, but the lesser-used infection vectors range from Web-browsing exploit kits to inaccurately named torrents. Some cybercrooks also prefer to attack specific companies or government networks by manual methods, which requires prevention through responsible password management by the users. Three out of four AV brands are identifying this threat appropriately, and deleting the WannaSmile Ransomware with a competent anti-malware program is highly advisable for minimizing any damage to your files.
This branch may or may not be the last that malware analysts see of the WannaSmile Ransomware and the rest of zCrypt Ransomware's family. Whether its line ends here or continues to sprout derivatives, it exemplifies how national boundaries can't protect any PC user from efforts to turn their files into bargaining chips.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.