Contents
WRUI ransomware is an officially confirmed 294th version of STOP/DJVU computer virus. It is designed to encrypt all files on the target computer with RSA algorithm, mark each file with additional .wrui extension to make them distinguishable, and drop _readme.txt files in every PC folder. To illustrate, file called 1.jpg becomes 1.jpg.wrui after the infection. The note contains a message from the ransomware’s developers who state that the only way to restore files back is to pay a hefty ransom ranging from $490 to $980 in Bitcoin. The attackers suggest writing them as soon as possible to be eligible for the lower price tag, leaving two email addresses – helpteam@mail.ch or helpmanager@airmail.cc.
The ransom note briefly explains that all files can be returned, even though they were encrypted with the “strongest algorithm and unique key.” According to the _readme.txt, WRUI ransomware developers offer a special price for victims who contact them within 72 hours from the infection timestamp – a 50% off the full ransom price. In this scenario, the criminals want $490 in cryptocurrency. If the victim delays contacting and paying the attackers, the price bounces back to $980. As mentioned previously, the crooks will ask to transfer the money in cryptocurrency as this helps to guarantee their privacy.
To encourage the victim to pay up, they suggest testing the decryption tool on one file for free. The “decryption testing” procedure starts with victim sending the criminals one small encrypted file. The attackers promise to respond with a healthy file version. However, the file must not contain any important information, as the attackers are afraid that restoring such file would repel the victim from paying the ransom at all.
Cybersecurity experts as well as FBI advise AGAINST ransom payments due to many ethical reasons, such as:
Upon installation, WRUI ransomware scans all system folders and encrypts files with target extensions with a robust encryption algorithm. This makes files inaccessible, however, that is not the only malevolent activity that this virus carries out on the compromised computer. In addition, it also executes Command Prompt tasks to delete Volume Shadow Copies (System Restore points) to prevent the victim from restoring encrypted files easily. Moreover, the ransomware adds a list of domains to Windows Hosts file, thus stopping computer’s access to them even when Internet connection is stable. It is noticeable that most of these domains are websites publishing mostly about computers or cybersecurity. Therefore, it is believed that the attackers try to stop the victim from reaching virus-related help online and feel cornered to pay the ransom to get things back to normal again.
Another damaging activity completed by this ransomware is installation of password-stealing Trojan Azorult. The list of this’ virus capabilities is extensive. It can be used as a Remote Access Trojan to view, delete, drop or download files (both in and out of the computer) and steal the following kinds of information:
Needless to say, such malicious software should be deleted from your computer as soon as possible. To remove WRUI ransomware virus as well as other threats, we suggest using powerful malware removal software. Additionally, we recommend downloading and scanning with RESTORO that is capable of repairing virus damage on Windows OS files.
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove detected issues manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Name | WRUI Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 294th |
Extension | .wrui |
Damage | This ransomware takes all victim’s files hostage by RSA-encrypting them. On top of that, the virus appends encrypted files with specific extension, then deletes system restore points (VSS) to prevent free data recovery. Lastly, the ransomware modifies Windows HOSTS file to block access to a set of websites. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | This ransomware can be found in various torrent downloads, mostly software cracks, keygens or KMSPico. |
Detection names | Trojan:Win32/Glupteba (Microsoft), Glupteba.Backdoor.Bruteforce.DDS (Malwarebytes), TR/AD.InstaBot.bfsbw (Avira), HEUR:Exploit.Win32.Shellcode.gen (Kaspersky), Trojan.GenericKD.36669904 (B)(Emsisoft), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal |
Removal | Remove the ransomware with the help of trustworthy anti-malware program, then consider scanning with RESTORO to repair virus damage on Windows OS files. |
WRUI ransomware distribution mainly relies on malicious torrent downloads, such as software cracks, keygens, movies and any copyright-protected and paid content offered as free. The criminals try to lure potential victims by uploading infected downloads to various file sharing websites. Victims who come looking to get specific software or content for free get lured into downloading these malware samples and often ignore antivirus’ warnings about potential dangers, thinking these might be false alarms. Unfortunately, upon opening such download, malicious payload gets downloaded and executed on the computer instantly.
Cybersecurity experts do not get tired repeating the same advice over and over: you should download software from legitimate, confirmed or official sources only. All other web locations offering free versions of paid software or content are likely to distribute damaging additions alongside them. In addition, we’d like to add our two cents and say that software licenses mostly cost less than hefty ransoms demanded by cybercriminals.
Another common ransomware distribution vector is infectious email attachments. The attackers compose convincing email subjects and messages and attach malware-injected attachments to distribute. A common practice is to imitate official-sounding message tone and to invite the victim to view attached document (invoice/information about missing or pending payment/etc.). In addition, crooks like to pretend they’re representatives of well-known companies such as eBay, Amazon or lately – parcel delivery companies such as DHL or DPD. Our recommendation is to stay away from emails you did not expect and do not let your curiosity trick you into opening a malicious file without realising it.
Ransomware operators sometimes try to trick the victims of ransomware into downloading additional malware. For example, crooks behind ZORAB ransomware used to promote fake STOP/DJVU decryptor that installed a variant of Zorab virus, causing a double file encryption for the victim.
Finally, beware that cybercriminals might be distributing fake software update ads that deliver additional spyware/malware alongside the primary installer. Most of the time, these deceptive ads can be found on shady websites or sites with questionable security reputation, such as adult-only, online gambling or file sharing sites. The fake ads typically suggest Adobe Flash Player or Java updates. These modified installers are created by malevolent people and not legitimate software vendors.
The easiest way to remove WRUI ransomware virus is to boot your computer in Safe Mode with Networking and run a robust malware removal program. The procedure is explained in the guide provided below. In addition, we strongly suggest repairing virus damage on Windows OS with well-reviewed RESTORO software. It can identify damaged or malformed Windows system files and repair them.
Once WRUI virus removal is completed, we suggest checking your backups to see if you can recover some files from them. Next, you should run the decryption/repair tools recommended below to see if there can be more files restored. Finally, we suggest reporting Internet crime incident to a responsible institution in your country (see references below) and changing your passwords due to Azorult’s activity.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
WRUI ransomware virus Removal Guidelines
Before you try to remove WRUI ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove WRUI ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. WRUI ransomware virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt WRUI files, follow the given tutorial.
The WRUI decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your WRUI extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of WRUI ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open WRUI files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official WRUI decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake WRUI decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.