- Home
- Detectable Ransomware
- WannaCry Fake
Ransomware Research
WannaCry Fake Ransomware
WannaCry Fake is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: WannaCryFake, WannaFaker, WannaCryGeneric.
Quick Facts
- Ransomware Family
- WannaCry Fake
- First Seen
- September 1, 2019
- Known Aliases
- WannaCryFakeWannaFakerWannaCryGeneric
How WannaCry Fake Ransomware Works
Targeted Files
Fake -> only renames Full variant of extension -> .[12E53B0B[rescueme55@protonmail.com].NORD https://app.any.run/tasks/b5df1808-ce0b-452e-904d-cfdeaf19f35c https://app.any.run/tasks/87784ae5-33de-4a8b-b922-fa2e43620514/
File Encryption Patterns
WannaCry Fake modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..WannaCry
..Snc
..BlackRoot
..ccc
..AWT
..WannaScream
..harma
..FOB
..ADHUBLLKA
..NORD
..Bang
..H@RM@
..Cns
Ransom Note and Payment Demands
After encrypting files, WannaCry Fake displays ransom notes demanding payment for file recovery:
Ransom message:
notes/W.jpg
Note locations:
Desktop
ReadMe.txt
Ransom message:
notes/ReadMe.txt
Note locations:
EveryFolder
README.txt
Ransom message:
notes/README.txt
Note locations:
Temp
WannaScream.hta
Ransom message:
notes/WannaScream.hta
Note locations:
StartUp
Temp
read_me.txt
Ransom message:
notes/read_me.txt
info.hta
Ransom message:
notes/info.hta
Note locations:
Desktop
info.txt
Ransom message:
notes/info.txt
Note locations:
RootDiscs
Technical Indicators
Associated Executable Files
The following executable files are associated with WannaCry Fake ransomware:
Windows Defender.exe
Runtime Broker.exe
runtime broker.exe
_2_.exe
Wanna Scream.exe
RUNTIME BROKER.EXE.HARMA
defender.exe
executable.exe
File encryption.exe
Recovery and Decryption Tools
Good news! Decryption tools are available for WannaCry Fake ransomware:
0
Elastio Can Help You
Don't let WannaCry Fake ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This WannaCry Fake ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WannaCry Fake.
Last updated: July 30, 2025