Recently, a new type of extortion virus appeared on the Internet andPCStart spread on the top。This virus will create multiple extortion prompt information files on the user desktop and disk root directory，Including:@wannaren@.exe, sky bet games online please see this picture for decryption.gif, please read this text.txt, please read this text.gif, team decryption.jpg. The encrypted file suffix name is modified to.wannaren, at the same time, the head of the encrypted file existsWANNARENKEYstring identity。This virus is mainly distributed through malware，The software involved in the investigation is mainly:KMSSystem activation tools,Acmecad、TeamView, Sky bet app download freezer library downloader,BTDownloader, etc.

Please do not download or open the unknown file，Back up important data in time。Download software Try to go to the software official website to download，Pay special attention to download some tools such as green installation packages and activists。

This virus uses symmetry and non -symmetry (RSA+RC4) hybrid algorithm is encrypted, but the current virus author(Wannarenemal@goat.si)Contact a domestic security team，and actively provide understanding the private key。Combined with the encryption algorithm，Domestic security manufacturers have developed two decryption tools。

1）WanNarendeCrypt.exe

Input the target path as a parameter，The output is the suffix name in the same directory.s.deCryptfile

Links1: https://pan.baidu.com/s/1zldvhnfc4nrparqqmf4g Extraction code: S42H

Links2：https://github.com/FuYingLAB-NSFOCUS/WanPublishedNarendeCrypt

2) Wannaren.py

ThroughpythonScript (IntroductionRSAandCryptoModule) can be successfully decrypted.

Link:https://cloud.nsfocus.com/api/krosa/secwarning/files/Decrypting script.zip