Ransomware Research

WantMoney Ransomware

WantMoney is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Want Money.

Quick Facts

Ransomware Family
WantMoney
First Seen
December 1, 2017
Known Aliases
Want Money

How WantMoney Ransomware Works

Targeted Files

Changes filenames Biblio.mdb -> Biblio.JIQAV-YVAYT-ZQGXM-LBRUV.Encrypted[B32588601@163.com].WantMoney17

File Encryption Patterns

WantMoney modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

./\.WantMoney[0-9]{1,2}$/

Ransom Note and Payment Demands

After encrypting files, WantMoney displays ransom notes demanding payment for file recovery:

file_Want Money_.txt

Ransom message:

notes/_Want Money_.txt

Note locations:

DesktopRootDiscs
screenshot

Ransom message:

notes/_Want Money_.bmp

Note locations:

Desktop

Technical Indicators

Associated Executable Files

The following executable files are associated with WantMoney ransomware:

  • 8OH00QnGHT.exe
  • 619f2b5a609889b8_hcxn92m4j9.exe

Elastio Can Help You

Don't let WantMoney ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This WantMoney ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WantMoney.

Last updated: July 30, 2025