Are you dealing with “Ooops, Your important files are encrypted” ransomware? If you are seeing this ransom note on your computer, this is an indication of a WannaCry ransomware infection. Your files are encrypted and these extensions are appended to their names : .WNCRY .WCRY or .WNCRYT. The following article should assist you in removing the crypto virus.
“Ooops, Your important files are encrypted” – Distribution Method of WannaCry Ransomware
WannaCry may rely on exploits, vulnerabilities and spam campaigns to distribute its payload on systems. The first exploits associated with the original WannaCry campaign were EternalBlue and DoublePulsare but more exploits may have been added to the distribution list.
Initially, the ransomware was spreading via the Server Message Block (SMB) protocol. Another replication method deployed by WannaCry is via a worm attack. This is the type of attack where the ransomware spreads automatically from one computer to another – a highly effective and dangerous method of infection.
“Ooops, Your important files are encrypted ” – Infection Method of WannaCry
Once inside a computer, the ransomware starts its modifications of the system. One of these malicious alterations is done with the help of the .VBS script. The ransomware leverages the script to gain admin rights on the infected system. Once this is done, a locked .zip file is dropped onto the machine known as wcry.zip. The file is then extracted on multiple folders in Windows.
WannaCry or “Ooops, Your important files are encrypted ” ransomware also deploys at least command and control addresses to establish a connection to TOR sites. This is how information about the infected systems is transferred. The ransomware also grants admin rights so that the wallpaper of the victimized computer is changed to “Ooops, Your important files are encrypted”. In addition, this is when the ransomware encrypts files and performs multiple other malicious tasks.
This is the ransom note used by WannaCry / “Ooops, Your important files are encrypted ” ransomware:
Q: What’s wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let’s start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named “@[email protected]”. It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don’t worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking on the decryptor window.
“Ooops, Your important files are encrypted” – Remove WannaCry Ransomware
In order to remove the ransomware, you can rely on the tutorial provided below. Keep in mind that the best removal method according to security researchers is to download an advanced anti-malware product that will help you remove this ransomware infection automatically and will further protect your computer.
Also, security researchers strongly advise against paying the ransom because this is what fuels future ransomware campaigns.
Booting in Safe Mode
For Windows:
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out “Ooops, Your important files are encrypted” in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of “Ooops, Your important files are encrypted”, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate “Ooops, Your important files are encrypted”‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type “Ooops, Your important files are encrypted” or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type “Ooops, Your important files are encrypted” Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type “Ooops, Your important files are encrypted” in the search field.
Automatic Removal of “Ooops, Your important files are encrypted”
Recover files encrypted by the “Ooops, Your important files are encrypted” Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. However, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
- Kaspersky.
- Emsisoft.
- TrendMicro.
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: