Home / Spyware Help / Wannasmile Ransomware Removal Guide

Wannasmile Ransomware Removal Guide

by 0 Comments

Do you know what Wannasmile Ransomware?

Wannasmile Ransomware is one of the newest ransomware infections our malware researchers have come across. This threat uses a name (Wannasmile) of a legit program that can stop WannaCry Ransomware, so the chances are high that some users download it themselves from some kind of dubious page expecting that they could use it against WannaCry Ransomware. No matter users allow Wannasmile Ransomware to enter their PCs themselves or it infiltrates their computers without their knowledge, it acts the same in all the cases. Specifically speaking, it goes to encrypt users’ personal files the second it affects their computers. Cyber criminals develop ransomware infections because they want users’ money. This is the reason ransomware infections they release encrypt users’ files immediately too. If you are reading this article because you have become one of those unfortunate users who have encountered Wannasmile Ransomware and found their .txt, .jpeg, .psd, .ppt, .mrv, .odb, .cs, .html, .swf, .pdf, .zip, .7zm, .wmv, and all other files encrypted, you should delete the ransomware infection from your system right away so that it could not encrypt your new files. It creates a point of execution (POE) in the Run (HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN) registry key, so it can start working together with the Windows OS and lock your new files with every new launch. The full Wannasmile Ransomware removal is the only way to prevent this from happening.

No doubt Wannasmile Ransomware has already infiltrated your computer and made modifications on it if your personal files, i.e. pictures, documents, archives, etc. can no longer be opened and you see .WSmile appended to all of them. This ransomware infection not only locks the personal data, but also drops a ransom note How to decrypt files.html to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Because of this, it is opened automatically on the screen on system startup. You will be asked to send a certain amount of money to the indicated Bitcoin address to get your files decrypted, but you should not do this because you do not know whether you could decrypt your files after you send your money to ransomware developers. We cannot promise that you could decrypt your files without the special decryptor in your case, but we are sure that there is a way to restore those encrypted files for free. You only need to have copies of those affected files to do this.Wannasmile Ransomware Removal GuideWannasmile Ransomware screenshot
Scroll down for full removal instructions

Let’s talk about Wannasmile Ransomware from the technical perspective too. Research has clearly shown that this infection drops a file WannaSmile.exe to %APPDATA% and creates a POE in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WannaSmile.lnk when it is launched. Additionally, it makes changes in the system registry as well. Specifically speaking, it creates a Value WANNASMILE in HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN. Yes, it is quite a sophisticated infection, but we believe you will remove it yourself with the help of our manual removal guide after reading this article.

It is hard to say how Wannasmile Ransomware has infiltrated your computer, but we are sure you know nothing about its entrance. Usually, ransomware infections affect users’ PCs when they launch malicious attachments from spam emails themselves. Also, they might download these threats from dubious pages by mistake. No matter why you have Wannasmile Ransomware on your computer, you must disable this threat as soon as possible so that it could not cause more harm to you. The last paragraph of this article will tell you how to do that. Once this infection is disabled, do not forget to install reputable security software on your PC to protect your system from other harmful malicious applications.

To fully delete Wannasmile Ransomware from your computer, you need to kill the malicious process, undo the changes made in the system registry, and delete all files that belong to this malicious application one by one. If the manual method is too challenging for you, you can erase malicious software from your system automatically. Sadly, all these encrypted files will not be unlocked for you when you delete Wannasmile Ransomware.

How to remove Wannasmile Ransomware

  1. Press Ctrl+Shift+Esc.
  2. Open the Processes tab.
  3. Kill the malicious process (it might be named client.exe).
  4. Close Task Manager and launch Run (Win+R).
  5. Type regedit.exe in the box and click OK.
  6. Move to HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN.
  7. Delete the WANNASMILE Value and close Registry Editor.
  8. Open Explorer (tap Win+E).
  9. Go to %APPDATA% and delete WannaSmile.exe.
  10. Remove the WannaSmile.lnk shortcut from %AppData%\Microsoft\Windows\Start Menu\Programs\Startup.
  11. Remove How to decrypt files.html from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
  12. Remove all suspicious files downloaded recently from %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP%.
  13. Empty Recycle bin.

In non-techie terms:

Wannasmile Ransomware is a nasty infection that has been named after the legitimate Wannasmile tool. It slithers onto computers to encrypt users’ files and then demands a ransom from them, so you will find your files locked right away if you ever encounter this ransomware infection. Never pay money to ransomware developers because the chances are high that this will not help you to get your files back. Also, you will encourage them to release more harmful threats by giving them what they want.