FANDOM


WannaCash is an encryption ransomware trojan that is used to profit from harassing computer users.

Payload

Once WannaCash is installed on the victim's computer, it will use the AES 256 encryption to make the victim's files inaccessible. WannaCash targets computers using Russian language settings specifically, and its ransom note and language seem to indicate that it is designed to target Russian speakers exclusively. WannaCash attack is straightforward and something that has been observed countless times before.

WannaCash will run as 'lock.exe' on the infected computer. WannaCash will drop two text files on the infected computer, 'key.txt' and 'Расшифровать файлы.txt' (Decrypt files.txt). WannaCash will rename the infected files by adding the string 'encrypted' to the beginning of the file's name and enclosing the rest of the file's name in parenthesis, a marked departure from most ransomware Trojans, which simply add a new file extension to the compromised files.

WannaCash delivers its ransom note after encrypting the victim's files, which demands a ransom payment from the victim. An approximate translation from Russian into English of WannaCash ransom note reads:

Activity of [system version] is blocked
Access to the files and system has been blocked. Unlock Windows key and desktop.
All instances of files on the disk with the following extenstions have been encrypted using AES-256 block 
cipher.
.doc .docx .xls .xlsx .xlst .ppt .pptx .rtf .pub .pps .ppsm .pot .pages .indd .odt .ods .pdf .zip .rar .7z .jpg .png 
.mp4 .mov .avi .mpeg .flv .psd .psb
The encryption is not final and can be reverted.
Fix:
Restoring, reinstalling Windows will lead to nothing. When you try to remove or disrupt the program, you 
take the risk of remaining with corrupted files.
------
Files
Yandex wallet [410017171730353] | Amount: 5000
------
We guarantee that you will be able to safely and easily restore all your files, as well as restore the previous 
state of the system.
1. Transfer the specified amount to the Yandex wallet. Choose cash or bank transfer.
2. After the successful transfer, click on the "I paid" button to check the crediting of funds. If the result is 
positive, the system will be unlocked automatically.
But we do not have much time. Every 10 minutes, defective files will be irrevocably deleted at random.

WannaCash's associated ransom payment is 80 USD approximately when converted from Rubles. One aspect of WannaCash that stands out is the use of Yandex for payment, which requires real-world ID, making it possible for the criminals responsible for WannaCash to be identified.

Community content is available under CC-BY-SA unless otherwise noted.