Pierluigi Paganini September 26, 2019

Researchers at Emsisoft security firm have released a new free decryption tool for the WannaCryFake ransomware.

Good news for the vicitms of the WannaCryFake ransomware, researchers at Emsisoft have released a FREE decryption tool that will allow decrypting their data.

WannaCryFake is a piece of ransomware that uses AES-256 to encrypt a victim’s files. The ransomware appends the following file extension to encrypted file:

“.[<id>][recoverydata54@protonmail.com].WannaCry”

“According to the ransomware distributors, the price of decryption depends on how quickly you email them, but under no circumstances should you attempt to make contact.” states the port published by Emsisoft.

The ransom note dropped by the WannaCryFake ransomware states:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail recoverydata54@protonmail.com

also You can use telegram ID:@data54

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.

Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Jabber client installation instructions:

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

After installation, the Pidgin client will prompt you to create a new account.

Click “Add”

In the “Protocol” field, select XMPP

In “Username” – come up with any name

In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im

Create a password

At the bottom, put a tick “Create account”

Click add

If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:

Userpassword

You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – https://www.youtube.com/results?search_query=pidgin+jabber+install

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Victims of the malware can download the WannaCryFake Decryptor here.

“Regardless of what the ransom note might say, our decryption tool can help you recover your files for free and will not cause permanent data loss. Please get in touch with our support team if you have any questions.” concludes Emsisoft.

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]