What is Wnmd Ransomware?

What is Ransomware?

Ransomware is a type of malware (malicious software) that encrypts a victim's files. The hacker gains unauthorized access to the victim's computer and encrypts the victim's data. The hacker then demands a ransom from the victim to restore access to the data upon payment.

How does Ransomware Spread?

Ransomware is usually spread through phishing emails or through websites that are infected with malware. The two most common methods for spreading ransomware are through drive-by downloads and social engineering. Drive-by downloading happens when a user visits a website that is infected with malware, and the malware is downloaded to the computer without the user's knowledge. Social engineering is when an attacker gains unauthorized access to a user's computer and uses it to attack other computers on the network. 

About Wnmd Ransomware

Wnmd Ransomware is a type of malware known as ransomware. Wnmd encrypts all the files in a computer until the user pays a ransom. Wnmd is delivered as Win32 EXE file and can be spread using one of the methods mentioned before. The malware drops a file named #INSTRUCTIONS DECRYPT.txt, containing the ransom note after encrypting your files. Files encrypted by Wnmd will have a .wnm extension at the end. Wnmd has trojan capabilities that allow it to monitor the Windows clipboard and harvest and steal browser information (history, passwords, etc).

Windows Wnmd Ransomware has also been spotted inside the following files and processes: ['WannaMadV3.exe', 'csrss.exe']

Wnmd Ransomware Capabilities

• Performs DNS lookups 
• Contains capabilities to detect virtual machines 
• Creates files inside the volume driver (system volume information) 
• Creates a start menu entry (Start Menu\\Programs\\Startup) 
• Creates a process in suspended mode (likely to inject code) 
• Reads the hosts file 
• Queries a list of all running processes 
• Creates COM task schedule object (often to register a task for autostart) 
• Modifies user documents 
• May encrypt documents and pictures
•  Queries the volume information (name, serial number etc) of a device 
• Writes ini files 
• Performs DNS lookups 
• Creates guard pages, often used to prevent reverse engineering and debugging 
• Stores files to the Windows startup directory 
• Creates a window with clipboard capturing capabilities 
• Overwrites Mozilla Firefox settings
•  Tries to harvest and steal browser information (history, passwords, etc)
• Contains capabilities to detect virtual machines 
• Uses bcdedit to modify the Windows boot settings
• Deletes the backup plan of 

How to Protect Against Ransomware?

There are a number of ways to remove ransomware including using a security program, deleting the ransomware infection, and using an anti-malware program. You should also seek online if any decryptor key is available for your specific ransomware infection. Sometimes, removal might not be possible and the best option is to get in contact with cybersecurity professionals.

Removal aside, the best way to deal with ransomware is to prevent infection by taking preventive actions. The first thing is to make sure that your anti-software is up-to-date and that your computer's operating system and all the programs are up to date. You can also install firewalls on your device to filter all incoming and outgoing traffic, and be sure to back up your data regularly so even if something happens to your computer, you have all of your important information.

• Use antivirus software
• Back up all important files
• Use a strong password for all accounts online
• Use a strong key-pair for all devices
• Use a secure Wi-Fi network when possible
• Use a secure VPN when online