WannaPeace Ransomware
Posted: November 30, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 97 |
| First Seen: | March 12, 2022 |
|---|---|
| Last Seen: | March 29, 2022 |
| OS(es) Affected: | Windows |
The WannaPeace Ransomware is a file-locking Trojan that can block the data on your PC, such as text documents, compressed archives, or images, with a cipher. Although this function takes time to finish its attack, the Trojan distracts the user by displaying a fake Adobe software-themed pop-up until it completes the payload. While blocking this threat upfront with appropriate security protocols is the recommendation of malware analysts, some anti-malware programs also can detect and uninstall the WannaPeace Ransomware after the infection.
A Reading of the Worst Kind of Document
After the Curumim Ransomware, the BugWare Ransomware, and other, file-locking Trojans, Brazil is nowhere near being safe from the attacks of Trojans trying to block media in return for money. At least one new threat actor is starting another campaign in the same vein at the end of November, which delivers messages specific to Brazilian users and covers for itself with a disguise misrepresenting a legitimate brand of software. Unlike similar threats, the WannaPeace Ransomware doesn't merely use a fake file name and, instead, embeds an Adobe PDF tactic directly into the same payload that it uses for the rest of its features.
For the moment, the WannaPeace Ransomware attacks only the files on a 'testes' folder on the infected PC, which is a common precaution that threat actors implement for limiting the damage to their test environment systems. It blocks a range of file formats within that folder by encrypting them and adds the '_enc' string to any already-present extensions (instead of creating a new one). This feature isn't instantaneous, but the WannaPeace Ransomware conceals its activities by displaying a fake Adobe PDF-loading screen for Reader XI.
The threat actor is trying to generate money from these attacks with an HTML application-based pop-up, which offers to sell the victims a decryptor and unblock their files. The message employs poorly-translated Brazilian Portuguese, multiple timer-related warnings, and a simple, Bitcoin currency interface. The ransom note also claims that all the money will go towards the victims of an unspecific war, almost certainly, as additional, emotional leverage to encourage quick payments.
Closing the Book on Fake PDF Texts
Even though Adobe-brand disguises are very archetypal for different families of file-locker Trojans, malware experts often find that these tactics confine themselves to the names of the installers. By placing its hoax in the payload, along with its data-enciphering and pop-up features, the WannaPeace Ransomware delivers a multi-featured attack that distracts its victims actively instead of relying on them not paying attention to the activities of a program on their PC. Brazilian PC users should be especially cautious about opening potentially fake PDF documents that they find attached to unexpected e-mail messages, which are a favorite infection strategy for Trojans of this classification.
There is no decryption software available for unlocking any files that the WannaPeace Ransomware encodes currently. A reconfiguration of this threat's payload for attacking other directories could occur at any point, and malware experts strongly endorse having a prepared and rigorous backup schedule in place for protecting your media. Otherwise, removing the WannaPeace Ransomware as soon as possible with appropriate anti-malware tools is the only way of keeping documents and other content from becoming unreadable.
With very few anti-malware solutions identifying the WannaPeace Ransomware as a threat, this Trojan is a working showcase of how a cybercrook can avoid a PC's security, both regarding software and the user. Updating your anti-malware programs whenever they provide patches to their databases can keep a file-locking campaign from getting the jump on your data.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.