How to Remove WannaCryptor ransomware and Decrypt Files

Help! Computer was attacked by WannaCryptor ransomware. This virus attacked all computers in our dormitory! Our computers were all blocked and we could not use them anymore as the entire computer was blocked. It required us to pay for unblocking. But it said that we should pay in Bitcoin. I did not have any Bitcion. What should I do?

Attacked by WannaCryptor ransomware? Click to get rid of it completely.


This malware removal tool is able to detect and remove Ransomware, browser hijacker, redirect virus, adware, PUP and other malware on computer. It also offers one to one online support to fix your issue fully.



What is WannaCryptor ransomware?

WannaCryptor Ransomware is a new virus which is released on Friday. As soon as it is released, it attacks a large scale of computers worldwide. As this virus can distribute by itself, it makes it spread all around the world from one computer to another so rapidly. Leaked NSA files are used by this virus to infect target computers. It has many versions written in different languages. A lot of organizations around the world are attacked by it, such as Telefonica and FedEx. This is a variation of WannaCry or Wana Decrypt0r. Such virus will scan TCP445 port on computer and spread to attack mainframe like a kind of worm. After it encrypts files on target computer and requires money pay in Bitcion.




Besides, WannaCry sample has used DOUBLEPULSAR which is a backdoor with a long history. Such backdoor is usually used to computer which is infected before to access system and execute codes. Such backdoor allows malicious third parties to be installed and activated. it is implanted to infected computer after malicious software has successfully utilized Server Message Block to attacked computer. According to the new toolkit offered by ShadowBrokers, a kind of aggressive loophole can use such backdoor. It seems like WannaCry virus does not only make use of ETERNALBLUE related module, it also scans available server to check whether there is DOUBLEPULSAR backdoor. Once any mainframe has been implanted such backdoor, it will be utilized by this Ransomware to attack computer system. If no available backdoor is found on computer, this Ransomware will try to take advantage of ETERNALBLUE via SMB loophole. This could be the main reason of the large scale spread of such worm.

The Encryption of WannaCryptor ransomware

The starter file mssecsvc.exe will release and execute tasksche.exe file at the beginning, then it checks killswitch domain. After that, it starts building mssecsvc2 service which will use different port to execute mssecsvc.exe file. The second scan will check IP of the infected computer and then try to connect TCP445 port of every IP in the same subnet. While malicious software successfully connects to computer, it starts building connection in order to transfer data. Tasksche.exe file will check hard drives on computer, including network share folders and external drives like C:/ and D:/. Moreover, this virus checks all files and uses 2048 RSA codes to encrypt files. During the process of encrypting, this virus creates a new file catalog named Tor/. Tor.exe and other 9 dll files which can be used by tor.exe will be released In this folder. Furthermore, there are two additional files named taskdl.exe and taskse.exe would be released, too. Taskdl.exe is able to delete temporary files and taskse.exe is used for activating @wanadecryptor@.exe that can display Ransomware statement on screen. @wanadecryptor@.exe file is not included in Ransomware or a kind of Ransomware as it is only used for displaying statement on screen. The encryption activities are performed by tasksche.exe in the background. Once all files are encrypted, a statement will be displayed on screen. The interesting thing is that the statement is an executable file but not a simple image, HTA file or text.

Note: Many victims report that hackers do not decrypt files after getting payment. Thus, experts strongly appeal to victims that all users should avoid and stop paying for decrypting files as paying them only subsidizing those malicious activities and making them stronger. Thus, to stop being trapped, please remove WannaCryptor ransomware timely.




How to Remove WannaCryptor ransomware and Decrypt Files

You need to restore system to the point which is not hacked before. Before restoring system, please do back up your crucial files. You better turn internet off before restoring as it can prevent being infect again. If you are not skilful enough to perform a system restore, please download automatic malware removal tool.
Quick Menu:

Step 1: Use Anti-Malware Tool to Detect and Remove WannaCryptor Ransomware and Other Viruses

Step 2: How to Recover the Encrypted Files

※How to Back up Your Files

Step 1: Use Anti-Malware Tool to Detect and Remove WannaCryptor Ransomware and Other Viruses


→Reboot the PC in Safe Mode


Choose one from the following instructions based on the system you use now. And make sure all external drive like floppy disks have been out of your computer.

For Windows XP/7/Vista


Restart your computer, tap F8 key constantly when it restarts but the Windows logo appears.



The Windows Advanced Options Menu will pop up, you need to use the arrow keys to select Safe Mode option you want, and then hit Enter key.




For Windows 8



Move the mouse to the right side of the screen until the Windows 8 charm menu appears.



Click Settings button and select Power.



Press Shift key all time and then click Restart from Power menu.



Now you are in the Windows 8 boot menu, click on Troubleshoot.



Then Advanced options



Click Startup Settings



Click Restart button in Startup Settings.



Press F4, F5 or F6 to enter Safe Mode.



For Windows 10




While holding down the Shift key, click Restart in Start menu (Click Start button, select Power and click Restart).



Now you are in the Windows 8 boot menu, please click TroubleShot -> Advanced options ->Windows Startup Settings.



Click Restart button in Startup Settings.



Enter Safe Mode by pressing F4, F5 or F6 key.




→Terminate Processes Related to WannaCryptor Ransomware


Right click on the taskbar and then select Start Task Manager/ Task Manager.



Go to Processes tab, find suspicious programs and stop them by click End Task (Win 8&10) / End Process button.




→Run Anti-Malware Tool to Remove WannaCryptor Ransomware

  • Use SpyHunter to Scan You Computer

SpyHunter is a useful anti-malware program which has ability to detect and remove all detected traces of WannaCryptor Ransomware and other threats. With updated virus database, it can scan the system for all types of computer threats including Worms, Trojans, Rootkits, Spyware and PUP, which may degrade computer performance. Now try to run SpyHunter to remove WannaCryptor Ransomware!

Download SpyHunter by clicking on the button below.

WannaCryptor Ransomware-4-0-removebutton


Open the downloaded file (SpyHunter-Installer.exe) to start the Installation.



Select your language and click OK button.



Click Continue button when Enigma Software Installer pops up.



Choose I accept the EULA and Privacy Policy option and click Install button.



When the setup is completed, click Exit button.



After installation is completed, run the SpyHunter, go to “Start a New System Scan” tab, and click “Scan Computer Now!



After the scan is finished, screen shows all detected items in the list (click + to read more details about the infection).

Now, press “Fix Threats” button to remove WannaCryptor Ransomware and other detected threat.



Restart the computer to take effect.


Step 2: How to Recover the Encrypted Files


Option 1: Use Windows Previous Versions feature


Go to File Explorer (My Computer icon), click one folder filled with your encrypted files.


Right click on a folder or a file and select Properties.



Press Previous Versions tab, and then select one of Restore points when files don’t be locked and click Restore button in the pop-up window.



Click Apply and OK button to apply the changes.


Option 2: Use System Restore


  • Open Start menu -> Type system restore into the search box -> press Enter key.


  • In the Restore system files and settings page, you can choose Recommended restore or Choose a different restore point, and then click Next button.



  • Choose a restore point when WannaCryptor Ransomware doesn’t enter your computer and then click Next button.



  • Click Finish button to start System Restore.


  • Click Yes button in the pop-up window and wait for completion of System Restore.


Option 3: Shadow Volume Copies

More information at

※How to Back up Your Files

It is recommended to back up your files regularly in case of data loss. That’s the most used methods to restore files and system settings.

  • Store files in some storage drives including USB Flash Drives, memory card, CD, DVD and so on.
  • Upload files to SkyDrive or OneDrive.
  • Use System Restore Feature, as shown.

(The guide below use Windows 8 as an example)

Move to the bottom left corner and wait for appearance of image-win8-startbutton

Right click on image-win8-startbutton and select Search.



Select Settings and type “restore” in the search box.



Click “Create a restore point” in the search results.



In System Protection tab, click Create… button, which means creating a restore point right now for the drives that have system protection turned on.



In order to identify the restore point, you need to type a description of the restore point, and then click Create button.



The system is creating a restore point, please wait for several seconds.

creating a restore point


And then the window tells you “the restore point was created successfully”.



The result can be seen in System Restore tab ( click System Protection > System Restore). Date and Time, Description and Type will display in the list.




WannaCryptor Ransomware is a dangerous and aggressive Ransomware which should be removed as soon as possible to avoid further lost. To protect your computer from malware, you should keep your system up to date and make sure system has installed all pathes. A professional malware removal tool is needed to improve system protection level.



Share on FacebookShare on Google+Digg thisPin on PinterestShare on LinkedInShare on TumblrShare on RedditShare on StumbleUpon