WantMoney Ransomware

Posted by Lisa Blanc on December 12, 2017

What is WantMoney Ransomware?

WantMoney Ransomware is a malicious threat that replaces the victim’s desktop image with a picture of a skull made from dollar signs and placed on a red background. Besides the skull, the new wallpaper might show a ransom note written both in Chinese and English. In it, the malicious application’s creators should ask their victims to transfer a particular amount of money into their account. In exchange, they offer a decryption key with which it is said the user would be able to restore all malware’s affected files. As you see, the infection locks user’s data with a secure cryptosystem to make them unusable. However, we would advise you not to trust the hackers as they could trick you. Instead, we recommend looking for another way to decrypt encrypted files. Those who do not wish to risk their savings should simply get rid of WantMoney Ransomware. To learn how to remove it you could follow the instructions located below the text, but if you want to get to know this threat better too, you should read the article first.testtesttest

Where does WantMoney Ransomware come from?

The malicious application might enter the system via unsecure RDP connections, infected email attachments, fake software installers or updates, and so on. Thus, users are constantly being advised not to keep outdated software on the computer and to be more cautious with data they download from the Internet. The problem with threats like WantMoney Ransomware is that they work silently and the user does not realize he launched a malicious file until it is too late. Therefore, it would be much wiser to scan data received from untrustworthy sources with an antimalware tool first instead of launching such data right away. If you do not have a legitimate antimalware tool yet, you could download it at any time, just make sure it comes from reliable developers.

How does WantMoney Ransomware work?

One installed, WantMoney Ransomware should create data we will list in the deletion instructions located below the text and then start the encryption process. During it, the malicious threat should not just make most of the user’s data unusable or in other words encipher it, but also mark it with a specific second extension. For example, the extension our researchers received while testing the malware was .CJZMX-TQQCZ-PMYCM-BYWUR.Encrypted[B32588601@163.com].WantMoney1. The first part of random characters should be different for each victim and as for the other parts, such as “.Encrypted[B32588601@163.com]” or “.WantMoney1” might be the same to all users who infect their devices with this threat.

Afterward, the malware should replace user’s Desktop image with _Want Money_.bmp, open a pop-up window, and drop a text document called _Want Money_.txt. All of these mentioned files should contain a message or to be more precise a ransom note. According to our researchers, the hackers demand to be paid 0.1 BTC or approximately 1.667 US Dollars. No doubt, the sum is quite large, and it would be unwise to risk it when there are no guarantees you will get the decryption key. WantMoney Ransomware’s creators might promise to send it in their ransom note, but in reality, there is a possibility they could trick you. Thus, instead of risking your savings, we advise you to look for backup copies you could use to recover your files. Just keep it in mind before any new data is added or before you transfer any copies it would be safer to remove the infection first.

How to eliminate WantMoney Ransomware?

Deleting the malware manually might be quite complicated since it blocks some of the system's tools. Nonetheless, if you are ready for such a task we would recommend following the instructions placed a bit below this text carefully. The provided steps will explain how to restart the system in Safe Mode and deal with all the malicious application’s created files one by one. On the other hand, if it looks too difficult, you could complete the first part to restart the computer in Safe Mode with Networking; then download a legitimate antimalware tool, perform a full system scan, and erase WantMoney Ransomware with other possible threats with a single mouse click.

Restart the system in Safe Mode with Networking

Windows 8/Windows 10

  1. Press Windows key+I for Windows 8 or open the Start menu for Windows 10.
  2. Click the Power button
  3. Press and hold the Shift key and click Restart.
  4. Choose Troubleshoot and pick Advanced Options.
  5. Select Startup Settings and click Restart.
  6. Press the F5 key and restart the PC.

Windows XP/Windows Vista/Windows 7

  1. Go to Start, pick Shutdown options and click Restart.
  2. Press and hold the F8 key when the computer starts restarting.
  3. Select Safe Mode with Networking from Advanced Boot Options window.
  4. Click Enter and log on to the computer.

Erase WantMoney Ransomware

  1. Press Windows key+R.
  2. Insert Regedit and click OK.
  3. Go to the provided directory: HKEY_LOCAL_MACHINE\SOFTWARE\Classes
  4. Look for Registry keys called .WantMoney2, .WantMoney3, .WantMoney4, and so on; in total there should be 29 keys and the last one is supposed to be called .WantMoney30.
  5. Right-click all 29 described registry entries separately and click Delete.
  6. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  7. Locate a value name called Want Money; its value data should show where the malware’s launcher is located.
  8. Copy the location so you could later remove the malicious program’s installer.
  9. Right-click the value name called Want Money and press Delete.
  10. Close Registry Editor.
  11. Press Windows key+E.
  12. Go to the location you just learned.
  13. Find the malware’s installer, right-click it and press Delete.
  14. Find these paths:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  15. Locate files called Want Money.lnk, right-click them and select Delete.
  16. Navigate to:
    %USERPROFILE%\Desktop
    %HOMEDRIVE%
  17. Erase data called _Want Money_.bmp.
  18. Close File Explorer.
  19. Empty Recycle bin.
  20. Restart the device. 100% FREE spyware scan and
    tested removal of WantMoney Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *