Wana Decrypt0r 2.0 Ransomware–Threat In Detail
Wana Decrypt0r 2.0 is a new variant of WannaCry ransomware. But has many things changed as per the older one. This crypto-malware encrypts data on the victims PC by appending “.WNCRY” extension and restricts opening them. Once the encryption been done, Wana Decrypt0r 2.0 changes the desktop background and also leaves a ransom note “@[email protected]” to instruct user on how to pay the ransom. In case your PC is infected with Wana Decrypt0r 2.0, you must avoid paying the ransom and try recovering your files with data recovery tools.
|Name||Wana Decrypt0r 2.0 Ransomware|
|Description||Wana Decrypt0r 2.0 Ransomware encrypts files, videos, images and texts stored on the target PC and demand a ransom amount from users to decode the files.|
|Occurrence||spam mail attachments., exploit kits, malicious links and java script codes..|
|Possible Symptoms||The ransom note can be seen on desktop and other file directories and files could not be accessible.|
|Detection Tool||Download the Detection tool– To confirm attack of Wana Decrypt0r 2.0 Ransomware virus on your computer.|
Wana Decrypt0r 2.0 Ransomware is distributed via email spam attachments which might be in the form of a RAR, ZIP and un-archived DOCX-files that containing malicious macro.
The payloads of the virus could enter through spam mail attachment, via torrents, spam bots, fake updates and many such. The file can be dropped as zipped folder named as wcry.zip.
This zipped folder may contain various files:
More about Wana Decrypt0r 2.0 Ransomware
Wana Decrypt0r 2.0 ransomware then starts to extract the files and connect to the TOR network in order to receive command and control. The following servers could be used for establishing connection:
After connection been done, Wana Decrypt0r 2.0 ransomware grants itself the administrative privileges to actions without any further permission of users. Also, it may stop various window’s processes running under task manager.
Mysqld.exe Sqlwriter.exe Sqlserver.exe MSExchange Microsoft.Exchange
Additionally, Wana Decrypt0r 2.0 ransomware also modifies window’s registry to schedule auto-launch as the windows starts.
→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\WanaCrypt0r\ HKCU\Software\WanaCrypt0r\wd HKCU\Control Panel\Desktop\Wallpaper
After that, Wana Decrypt0r 2.0 ransomware starts its encryption process and encrypts data with .WNCRY extension. It also drops a program named @[email protected] that runs a timer along the instruction on how to pay the ransom.
List of file extension encrypted
→ .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .msg, .ost, .pst, .potm, .potx .eml, .der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .asp, .java, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, .jar,