What to do if your files and data are held hostage by WannaCry ransomware?

Security firms and researchers have found some ways to stop the WannaCry ransomware that hit thousands of computers across the globe and thanks to them, the spread of the malware is on a decline.

That’s good news for all PC owners that haven’t been affected yet, however, for users whose data and files have already been held hostage, there are a lot of things to be done to recover those files without paying the perpetrators. In this post, we will show you ways you have to do to salvage your important files.

For those who have other issues, however, you can always contact us and tell us more about your computer and the problem so that we can help you find a solution. Fill up our PC issues questionnaire and provide us with accurate information about your machine and the problem. Remember, the accuracy of our troubleshooting guides depends on the information we have.

How to detect if your Windows PC is infected by WannaCry ransomware

Hackers made it a point to let users know their computers are infected so that they can extort money from them quickly. Detection is easy; you will be shown a message telling you your important files are encrypted and that you need to run a decrypt software to recover them. This, of course, is a lie and many users fell prey to it.

You may also see the lockscreen named Wana Decrypt0r 2.0, which basically tells you the same thing but provides you information as to how you can recover your files or make your payment as ransom. Timers are found on the left side showing you time left for you to make your payment or your files will be lost.  

How to remove WannaCry ransomware and recover your files

Now, this is the tricky part because it isn’t easy to remove this worm-like malware completely. You may be able to delete some of its files but we really can’t be sure that all of them will be removed. The good news is, it’s just another application and uses processes and other files. If we get to stop those processes from running and delete the files uses, we may have a shot at recovering your files and data without paying the perpetrators and that’s the most important part.

First off, if your computer does not contain important files but already infected with this ransomware, then reset and I don’t mean turning your computer on and off but wiping the hard drive off completely and reinstalling the operating system. After which, make sure you patch the OS by downloading the most recent updates rolled out by Microsoft to prevent infection.

However, if you badly need to recover some files, then here’s what you should do:

Step 1: Run your computer in Safe mode

Starting your phone in safe mode will only load essential services and programs and more often than not, third-party processes won’t work with it. You have to start your computer in this mode so that there would be no interference from third-party elements and processes that might have issues will be temporarily disabled.

Here are ways to start your computer in safe mode depending on your operating system:

Step 2: Find, stop and delete associated processes

One of the characteristics of a malware and its processes is that they often use large amount of resources such as CPU and RAM, which prompts other processes to crash and your computer’s performance to decline. We can always view processes that are running in the background through the Task Manager, so to open it, press CTRL + ALT + Esc.

Look through the processes tab and find something suspicious. Find processes that use up a lot of resources or those that are named differently. You may then right-click on the process and End it to stop it from running, or you can choose to Open the File and then delete everything under it.

Step 3: Prevent WannaCry program and processes from loading during startup

Malwares are often loaded together with system files, thus, they are often listed on Startup Programs. To view this window, type ‘System Configuration’ into the search bar and the first result to show should be the one you’re looking for.

Un-tick programs that you suspect are some of the WannaCry services that are loaded while the computer is starting up. Doing so will limit the functions of the malware, although, they often have ways to jump start their services.

Step 4: Remove WannaCry registry entries

Now, in this step, you need to try to delete all registry entries that have something to do with the malware. Press CTRL + R, then type ‘regedit’ to launch registry editor. Once inside the editor, press CTRL + F and then type the name of the malware, in this case, WannaCry or Ransom.CryptXXX. You can remove all entries while in this environment, so delete everything that relates to the malware.

Step 5: Delete files associated with WannaCry

After doing all those steps, we are down to one final step, which involves deleting some files that are associated with the virus. More often, files that are used and created by third-party apps can be found in the following directories: %AppData%, %LocalAppData%, %ProgramData%, %WinDir% and %Temp%.

You may remove files created most recently and when you access the temp folder, you may delete everything in there.

How to prevent WannaCry from infecting your computer

Windows rolled out patches for its operating systems including Win XP. This is to patch the exploit used by hackers to spread the ransomware. Download and install the patch to prevent spread of malware over Local Area Network (LAN). But then again, this is just one of the ways to prevent it from spreading.

WannaCry has also been transmitted from user to user through email. So, if you receive something suspicious, especially messages that urge you to download some files or run something, do not open it, instead, delete it immediately.

You also have to update your Antivirus and security suites as majority of the developers updated their definitions and included WannaCry on the list. Don’t disable your firewall as well or, at least, deny any access that are unusual or looks suspicious.

If you’re transferring files from one computer to another using a flash drive, make sure to scan the drive first and don’t allow it to autorun.

How to protect your important files from possible WannaCry infection

If you’re using Windows computer, it’s possible that your computer will be infected by WannaCry ransomware. So, if you have files that you can’t afford to lose, make a backup of them; you may save them in a flash drive or burn them to DVD.

I also suggest you copy them to a secured cloud server like Google Drive, Dropbox, etc. No one can access them except you as you’re the only one who knows your username and password and files saved in the cloud cannot be modified or infected by malware. Aside from that, the service provider also has some anti-malware programs that check your files.

I hope that this article can help you fix a problem with your computer.

Connect with us

We are always willing to help our readers fix the problems with their computer and so if you are currently experiencing an issue or two, do not hesitate to contact us and tell us about your experience. The solutions we provide will be based on the information you feed us. Make sure you include all necessary details and please fill up each field in our computer issues questionnaire accurately so we can give you more accurate solutions.