If your documents, photos and music does not open normally, their names replaced or .wlu added at the end of their name then your computer is infected with a new virus from a family of file-encrypting ransomware. Once started, it have encrypted all files stored on a PC drives and attached network drives.
It uses a strong encryption algorithm with 2048-bit key. When the ransomware encrypts a file, it will add the .wlu extension to each encrypted file. Once the virus finished enciphering of all personal files, it will create a file called “README_TO_DECRYPTl.txt” with guidance on how to decrypt all documents, photos and music.
Table of contents
- What is WLU ransomware virus
- How to decrypt wlu files
- How to remove WLU ransomware virus
- Restoring files encrypted with WLU virus
- How to prevent your personal computer from becoming infected by WLU ransomware infection?
- How does your system get infected with WLU ransomware infection
- Finish words
The WLU ransomware infection offers to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt the .wlu files encrypted by the virus without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can recover all personal files! If you do not want to pay for a decryption key, then you have a chance to recover encrypted .wlu files.
Use the step-by-step guide below to get rid of the virus itself and try to recover encrypted photos, documents and music.
What is WLU virus
WLU ransomware is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of MS Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses a hybrid AES + RSA encryption mode to eliminate the possibility of brute force a key which will allow to decrypt encrypted personal files.
When the ransomware infection infects a PC, it uses system directories to store own files. To run automatically whenever you turn on your machine, WLU ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.das, .webdoc, .snx, .menu, .py, .rw2, .ibank, .wps, .wpl, .wb2, .wire, .dwg, .jpg, .mef, .xmmap, .x3d, .itdb, .asset, .mdb, .wbc, .wpd, .wmv, .iwi, .xls, .wp4, .dcr, .arw, .itm, .wsh, .rim, .pptm, .sie, .wbm, .bay, .m3u, .pptx, .xy3, .wsc, .dba, .raf, .avi, .xyw, .ysp, .sidn, .docm, .bc6, .ztmp, .tor, .tax, .ybk, .xlgc, .gdb, .xls, .wdb, .pkpass, .jpeg, .pef, .vtf, .cr2, .pak, .cdr, .bar, wallet, .vfs0, .y, .wmo, .zabw, .hplg, .wpw, .wdp, .wbd, .xlsm, .forge, .2bp, .rar, .mddata, .pdf, .cas, .icxs, .7z, .p7b, .r3d, .wps, .xdb, .mp4, .wbk, .nrw, .svg, .wpa, .erf, .xar, .pem, .wbz, .der, .rofl, .xdl, .ltx, .lvl, .cer, .wp6, .ods, .eps, .wp, .css, .jpe, .sis, .js, .slm, .zi, .psk, .p7c, .wsd, .mrwref, .dng, .lbf, .re4, .bkf, .rwl, .lrf, .d3dbsp, .xx, .zdb, .ncf, .kdb, .hkx, .psd, .wpe, .csv, .odt, .xpm, .rgss3a, .crt, .sql, .sidd, .xmind, .mdf, .3fr, .p12, .db0, .xbdoc, .xbplate, .1st, .m4a, .mpqge, .bik, .wpd, .wpg, .ws, .ptx, .bsa, .srw, .odc, .m2, .syncdb, .wri, .layout, .rtf, .fsh, .x, .odp, .wma, .vpk, .zw, .txt, .zdc, .gho, .xxx, .wot, .wmf, .sr2, .zip, .flv, .mov, .wp7, .wmv, .zip, .litemod, .wpt, .wm, .xyp, .fos, .esm, .xlsb, .qdf, .xll, .desc, .map, .vcf, .wbmp, .wma, .webp, .3ds, .xld, .ai, .hkdb, .iwd, .itl, .kf, .mdbackup, .1, .big, .yml, .kdc, .sav, .wav, .accdb, .apk, .xf, .wgz, .indd, .yal, .bc7, .bkp, .png, .dxg, .wotreplay, .rb
Once a file is encrypted, its extension replaced to .wlu. Next, the virus creates a file called “README_TO_DECRYPTl.txt”. This file contain guide on how to decrypt all encrypted photos, documents and music. An example of the tutorial is:
Your files are encrypted!
To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet.
1. You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en
2. After installation, run the Tor Browser and enter address: xxx
Follow the instruction on the website.
Your decrypt ID:xxx
The WLU ransomware virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a threatening message on the desktop. It is trying to force the user of the infected personal computer, do not hesitate to pay a ransom, in an attempt to recover their documents, photos and music.
How to decrypt wlu files
Currently there is no available solution to decrypt wlu files. The ransomware virus repeatedly tells the victim that uses a strong encryption algorithm with 2048-bit key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the WLU ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the WLU ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove WLU ransomware virus
The following instructions will help you to get rid of WLU ransomware infection and other malicious software. Before doing it, you need to know that starting to delete the ransomware, you may block the ability to decrypt personal files by paying developers of the ransomware infection requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomwares and easily delete it from your machine, but they can not recover encrypted photos, documents and music.
Scan and free your computer of WLU with Zemana Anti-malware
We suggest using the Zemana Anti-malware which are completely clean your personal computer of the ransomware infection. The tool is an advanced malware removal application made by (c) Zemana lab. It is able to help you delete PUPs, viruss, adware, malware, toolbars, ransomware and other security threats from your machine for free.
- Please download Zemana antimalware from the link below. Save it on your Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
- At the download page, click on the Download button. Your web-browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- Once the downloading process is finished, please close all programs and open windows on your computer. Next, start a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana anti malware onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the antimalware will start and display the main window.
- Further, press the “Scan” button . This will begin scanning the whole PC to find out WLU ransomware virus and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a threat is detected, the number of the security threats will change accordingly.
- When it has finished scanning your computer, it’ll open a screen which contains a list of malware that has been detected.
- When you’re ready, press the “Next” button to start cleaning your PC system. Once the procedure is done, you may be prompted to restart the PC system.
- Close the Zemana Anti-Malware and continue with the next step.
Use Malwarebytes to remove WLU virus
We advise using the Malwarebytes Free. You can download and install Malwarebytes to scan for and get rid of WLU from your computer. When installed and updated, the free malware remover will automatically scan and detect all threats present on the system.
- Please download Malwarebytes from the following link. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: November 9, 2017
- At the download page, click on the Download button. Your web browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- Once the downloading process is done, please close all software and open windows on your computer. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of Malwarebytes onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Malwarebytes will start and display the main window.
- Further, click the “Scan Now” button . This will start scanning the whole personal computer to find out WLU ransomware and other malicious software. During the scan it’ll detect all threats exist on your PC.
- When this utility has finished scanning, you will be opened the list of all detected items on your PC system.
- Review the scan results and then click the “Quarantine Selected” button to start cleaning your computer. Once the task is complete, you may be prompted to reboot the system.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove WLU virus from computer with KVRT
If MalwareBytes anti-malware or Zemana anti-malware cannot delete this ransomware virus, then we advises to run the KVRT. KVRT is a free removal tool for ransomwares, ad supported software, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
Once the downloading process is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin checking your machine for the WLU ransomware virus . A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your machine. While the tool is scanning, you can see how many objects and files has already scanned.
When it has finished scanning your personal computer, it’ll show a screen that contains a list of malware that has been detected as shown on the screen below.
When you’re ready, click on Continue to start a cleaning task.
Restoring files encrypted by WLU ransomware infection
In some cases, you can restore files encrypted by WLU ransomware infection. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Run ShadowExplorer to restore wlu files
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Download ShadowExplorer from the following link. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: February 12, 2016
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Double click ShadowExplorerPortable to start it. You will see the a window as shown in the following example.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the following example.
Use PhotoRec to recover wlu files
Download PhotoRec from the following link. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: March 23, 2016
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as on the image below.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your system from becoming infected by WLU ransomware?
Most antivirus software already have built-in protection system against the virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your personal computer from WLU virus
Download CryptoPrevent from the following link. Save it on your Windows desktop.
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can choose a level of protection, like below.
Now click the Apply button to activate the protection.
How does your machine get infected with WLU ransomware infection
The WLU ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a virus like WLU ransomware infection.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. The WLU ransomware will begin the encryption process. When this task is complete, it will show the usual ransom instructions like above on README_TO_DECRYPTl.txt.
Once you have done the guidance above, your computer should be clean from WLU ransomware infection and other malware. Your PC system will no longer encrypt your files. Unfortunately, if the guidance does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- When it has finished scanning your computer, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the WLU ransomware.