WannaSmile is a new Ransomware infection whose features bear a close resemblance to the infamous ZCrypt. Skillfully named Wannasmile to piggyback on the mammoth success of the WannaCry Ransomware, the new crypto-threat encrypts the computer data, urging the victims to pay a whopping 20 Bitcoins (BTC) to get their files back. Since the ransom note is written in Iranian, WannaSmile’s main targets are users in the Arabian-speaking countries.
The Infection Vector of the WannaSmile Ransomware
WannaSmile, like most ransomware threats out there, may attack computer users from a multitude of angles including, but not limited to fake software update prompts popping up on malware-infested websites, spam emails containing untrusted links potentially, and malvertisement. Even though the latter may look like genuine ads sent by legitimate software vendors offering the PC users to take advantage of useful software tools, they are aimed at infecting as many machines as possible solely.
The Infection Process Used by the WannaSmile Ransomware
WannaSmile, once activated, encrypts all valuable data files, appending a .WSmile extension next to the real extension of each infected file. Then comes the ransom note, which it drops in the form of a .html file called “How to decrypt files”:
The note, which is written in Iranian, demands that the victim send a payment in the amount of 20 BTC to a concrete bitcoin address and provide an e-mail confirmation to wannasmile[at]tuta.io afterward. Infected users also are pressed to act quickly within five days, unless they are willing to see the ransom amount rise by one bitcoin a day incrementally. Finally, the note lists a few bitcoin exchanges supposedly serving as starting points for the victims.
In English, the WannaSmile ransom note reads:
Your system is infected with the WannaSmile Ransomware virus, all your important files, including databases and backups, are encrypted with complex encryption algorithms, so you will not be able to access files, only we can decrypt.
In the event that we do not receive a fee for our bitcoin-purse a maximum of 5 days after infection, then 1 bitcoin will be added daily to the original amount (20 bitcoins). You must pay an amount of 20 bitcoins to decrypt your files, at the following address: 1KvmWVRxqw8HeFpR2tHBaoTJiTczU7PRzw
And once you pay, do not forget to send us an email to [email protected] so we can send you a file from which you can restore all the files and infected systems to their original state.
You can buy bitcoins at one of the following currency exchangers:
Aftermath and Possible Options
Given that ransomware exploiters rarely provide a working decryption key even if the victim has paid the entire required ransom amount, there is no point whatsoever in paying a single dime, let alone 20 BTC, this time, either. Fortunately, there are two pieces of good news here. First, there are both automatic and manual ways to remove the entire WannaSmile infection. Second, encrypted .WSmile files may not be lost beyond repair necessarily. Rather, they can be restored using a specialized data recovery software, or a system restore point, as long as the PC user has made one. Before doing that, however, computer users may try to export the files from the Volume Shadow Copies as they still may be present on the PC.