Home Malware Programs Ransomware WanaCry4 Ransomware

WanaCry4 Ransomware

Posted: August 10, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 4,616
First Seen: August 10, 2017
Last Seen: June 10, 2023
OS(es) Affected: Windows

The WanaCry4 Ransomware is a Trojan based on the CryptoWire Ransomware that uses encryption to lock your files before demanding ransom payments for their decoding. This threat is unrelated to the '.wcry File Extension' Ransomware or the WannaCryptor Ransomware family and appears to use its name to mislead its victims with a well-known brand. Backing up your work when appropriate or using free decryptors can provide recovery options not requiring payment, and most anti-malware programs should identify and remove the WanaCry4 Ransomware as threatening software.

Faking Versions of Real Trojans for Easy Money

Most threat actors who bother to keep track of their competitors are aware of Trojan families like the WannaCryptor Ransomware, which various con artists are pushing onto arbitrary PCs for sabotaging digital content. More often than otherwise, the response to a successful campaign is a new Trojan's author to misappropriate that program's branding. The WanaCry4 Ransomware is a fraudulent variant of the WannaCryptor Ransomware, but does include actual encryption features, which malware experts are presuming is based on the open source CryptoWire Ransomware.

The WanaCry4 Ransomware encodes content, such as documents, that it finds both on local drives and any detachable or network-accessible ones. After finishing the AES-256 encoding process, it uploads the decryption key to a Command & Control server controlled by the threat actor remotely. Then, the WanaCry4 Ransomware generates one of the few, missing elements from the earlier CryptoWire Ransomware: a pop-up carrying its ransom instructions. The window displays a GUI that lists all blocked files, a Bitcoin-purchasing option, and a decryption option (supposedly available after paying).

The template of the WanaCry4 Ransomware ransom alert is a general resource used in other Trojan campaigns not related to this threat immediately. Malware analysts also noted an unusual detail in the WanaCry4 Ransomware's encryption-marking methodology: it inserts its extension between the main string of the filename and the extension (for instance, 'picture.gif' would become 'picture.encrypted.gif').

Minimizing the Crying Over the WanaCry4 Ransomware Extortion

As an AutoIT-based Trojan, the WanaCry4 Ransomware is compatible with most versions of the Windows OS and can block content like documents, spreadsheets, pictures, and other media without any symptoms automatically. Since one of the easiest ways to damage an encoded file irreparably is to run it through an incompatible decryption process, malware experts suggest that you always copy any files before restoring them through free decryption tools. Backing up your work regularly to devices left unattached from your PC also can give you alternative restoration options that don't depend on a decryptor.

Malware experts still are identifying any installation exploits that the WanaCry4 Ransomware might be using. File-encrypting Trojans often distribute themselves with the assistance of forged e-mail content and website exploits. For less targeted methods, victims also may compromise their PCs unintentionally after downloading mislabeled files or by using unsafe network passwords that are vulnerable to brute-force apps. Most anti-malware products are just beginning to identify and remove the WanaCry4 Ransomware, and you may need to update your security software's threat database to guarantee an accurate detection.

The name of a Trojan can be either a clue to its point of origin or a trap that's meant to lead victims in the wrong direction. Going by the looks of threats like the WanaCry4 Ransomware can be just as much of a mistake as paying money for the chance of a decryption feature that the threat actor may or may not feel merciful enough to provide.

Loading...