WExtension Ransomware is Dangerous, but Decryptable

The WExtension Ransomware appears to be a dangerous piece of malware capable of encrypting the files on infected devices. Such attacks are incredibly dangerous, because their victims rarely have a data recovery option unless they have access to an up-to-date backup. Thankfully, we have some good news regarding the origin of the WExtension Ransomware – it might be a part of the HiddenTear Ransomware family.

Originally, HiddenTear was released as an educational, open-source project to make developers familiar with the inner workings of ransomware. However, cybercriminals jumped on this opportunity and altered the code to turn HiddenTear into a devastating file-locker. Thankfully, the original creator had implemented a faulty file-locking mechanism on purpose – this means that any project based on HiddenTear is decryptable. WExtension Ransomware is not an exception.

When the WExtension Ransomware takes over a system, it will append the '.WExtension' suffix to files it encrypts. Furthermore, it will create the 'read_it.txt' document on the victim's desktop. Last but not least, the malware makes sure to delete Shadow Volume Copies – a typical trick that ransomware creators use. The ransom message advises victims to pay a $1,500 fee via Bitcoin in order to acquire a decryptor. It does not mention any contact details, so it would be impossible to contact the criminals even if you pay – they are obviously planning to scam users out of their money. Never agree to pay to ransomware criminals. In the case of the WExtension Ransomware, you should use the free HiddenTear decryptor to try and restore your files. Then, make sure to remove the threat with the use of an up-to-date antivirus tool.