How to remove / fix ransomware WannaCry

If you read the last 24-hour news, you will know about the ransomware global scale network attack called WannaCry. The attack has caused many organizations to not be able to access files on the computer, including the UK NHS National Health Authority or FedEx shipping company. Although it seems more aimed at Europe, that doesn't mean you're out of WannaCry's "coverage". Here's what you need to know about this type of ransomware and how to deal with WannaCry infection.

What happens when WannaCry is attacked?

If the computer is infected, WannaCry encrypts the data on the computer and requires the user to pay a sum to redeem / unlock them. Normally the fee will be about $ 300. It requires payment with Bitcoins so that recipients cannot be traced.

When the victim does not accept payment, the amount that the attacker demands to redeem will double after 3 days. Then, if no Bitcoin is paid, the number of encrypted files will be deleted . WannaCry also includes a text Read Me file, providing detailed information about what will happen next, depending on your decision. If you or your organization is infected with this ransomware, here are a few important tips to remember.

Computer screen infected with WannaCry

How to protect your computer from ransomware attack?

Up to this point, it is difficult to decrypt the infected file. However, a famous cyber security company called Symantec is looking for a way to decode it more easily. If you do not want you or your organization to become a victim of the WannaCry attack, follow these steps.

1. Always update firewall and antivirus software to protect your computer.
2. The operating system should be updated regularly, which will include new patches and avoid being exploited by hackers.
3. Email is one of the popular ways for WannaCry and similar ransomware to infiltrate computers. So don't click or open strange document files.
4. Back up all important data. This will give the attacker nothing to "catch" you. Also, you should back up on servers, external storage devices or other forms that don't use the Internet.

To remove WannaCry, you will need to use Safe Mode. Here's how to turn on Safe Mode on your computer. Also note that the information below is based on search and does not guarantee that your computer can remove WannaCry. To follow the instructions below, you will need to read this article on another device because during the operation, you will have to turn off the browser.

How to turn on Safe Mode

1. On Windows XP and Windows 7 : Select F8 before Windows starts. On the Boot Menu, select Safe Mode with Networking and click Enter.
2. On Windows 8 and 8.1 : Go to Start Menu > Control Panel > Administrative Tools > System Configuration. Then find and select Safe Boot and select Networking > Restart. Your computer will open to Safe Mode.
3. On Windows 10 : Go to Start Menu > Settings > Update and Security > Recovery. Then, under Advanced Startup, click Restart Now and let the machine reboot. When the machine allows the Choose Option Screen option, click Troubleshoot > Advanced Options > StartupSettings > Enable Safe Mode with Networking Option and click Enter.

Note: On some computers, the Boot Key is not F8, then you will need to review the manufacturer's instructions to find this key.

How to remove WannaCry?

Read the steps carefully and make sure you know what you are doing before you work.

Eliminate infected processes

Now you need to find processes that are running on WannaCry-related machines. Press Ctrl + Shift + Esc to open the Task Manager dialog box . Then look closely on the Processes tab to find strange entries.

Usually poisoning processes will consume a lot of computer resources, such as CPU or RAM. If you see an unusual entry, right-click, and select Open the File > Delete Everything. Be sure to do so only when you are sure the process is related to WannaCry.

Programs start up

Now open Startup Programs by typing System Configuration in the Windows search box. Then select the first result and you will see the list of programs.

If you use Windows 10, you can see the Startup Programs right in Task Manager. On all Windows versions, if you see any program with a strange or suspicious developer name, uncheck it and click OK.

Registry

Open Windows Run dialog box or press Windows + R key combination. Then type regedit and press Enter.

When you see the Registry Editor, press Ctrl + F and type Ransom.CryptXXX or WannaCry. Please delete all that is related to this name and select Find Next to find the next results.

Virus-infected files

Finally, don't forget to delete all files that are likely to be infected. On the Start Menu, type each of the following options in turn: % AppData%,% LocalAppData%,% ProgramData%,% WinDir%,% Temp% . Each time you search by one of the names above, a folder will appear, select by time and delete the most recent folders and files. Alternatively, you can go to the Temp directory to delete everything in it.

Although not 100% guaranteed, the above guidelines may be helpful to help you remove WannaCry from your computer.

Related articles:
How to handle the emergency WannaCry malicious code from the National Information Security Department
Microsoft released an emergency patch to prevent ransomware from attacking