WannaDie is an encryption ransomware trojan on Microsoft Windows, designed to take victims' files hostage through the use of a strong encryption algorithm. Despite its pretense that it is a variant of the infamous WannaCry, WannaDie is a version of HiddenTear.
WannaDie is delivered through corrupted email attachments, commonly including embedded macro scripts that download and install WannaDie onto the victim's computer.
WannaDie will mark all files encrypted by the attack so that the affected files will have the file extension 'wndie,' added to their names.
WannaDie uses a combination of the AES and RSA encryptions to make the victim's files unusable. WannaDie will use its strong encryption method to encrypt the victim's files in its attack, targeting the user-generated files while not touching the Windows system files required for Windows to continue to function (and deliver a ransom note to the victim). The files that may be encrypted in a WannaDie attack include:
.1cd, .csv, .dat, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dt, .DT, .dt, .ged, .hbk, .hbk, .htm, .html, .key, .keychain, .md, .pps, .ppt, .pptx, .sdf, .tar, .tax2014, .tax2015, .txt, .vcf, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml.
WannaDie delivers its ransom demands in the form of a text document named 'ReadMe.txt,' which WannaDie will drop on the infected computer's desktop. This ransom note contains a message written in Russian. A translation to English of WannaDie's ransom note reads:
Ooops, your important files are encrypted. If you read this text, but do not see the window "Wanna die decrypt0r", then your antivirus has removed the decryptor. Disable antivirus software or remove it from your computer.' More information can be found on the program window generated by the WannaDie Ransomware, which includes the following text: 'Files are encrypted, what should I do? WHAT HAPPENED WITH MY COMPUTER? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer available, because they have been encrypted. Perhaps you are busy searching for a way to restore your files, but do not waste your time. No one can recover your files without our decryption service.
WannaDie also delivers its ransom note in a program window that gives the victim 24 hours to pay the ransom amount, which may be hundreds of Rubles to be paid using Bitcoins and delivered to a specific Bitcoin wallet address.
All files can be unlocked with this code 7HAR2NTX-YC8APT4B-4H7H62JP-A2QLWNHU-ZWYX5J4J-W29P6M9W-KS3LKAP4-BML5WTS2.