Ransom_wcry.sm2 Ransomware Removal (+File Recovery)

This page aims to help you remove Ransom_wcry.sm2 for free. Our instructions also cover how any Ransom_wcry.sm2 file can be recovered.

A new Ransomware threat is on the loose and your files are its target! The new Ransomware is called Ransom_wcry.sm2 and is targeting various files in order to encrypt them. If you have had the misfortune of facing this infection, there are a few things that you should know about it before you decide on your actions. We strongly recommend you read the article that follows and take a look at the instructions in the removal guide, published below. The information provided will give you some alternatives, which may potentially help you combat the malicious consequences of the encryption and avoid the ransom payment.

Ransom_wcry.sm2 is on the loose – what should you know about it?

Ransom_wcry.sm2 uses a very complex encryption technique in order to block the victims from accessing their most used data. According to the latest reports, this malware has already managed to cause significant damage to hundreds of computers and their users. The hackers, who stand behind the infection, present their ransom demands in a ransom message the moment the malicious encryption is complete. The ransom message usually states that the victims’ files have been “secured” and their extension has been changed due to a security breach of the system or some other type of “security issue”, which is a common scam. In fact, the note asks you to contact the criminals in order to purchase a decryption key for the liberation of your files. This is a direct form of online blackmail. To gain user’s confidence, however, the creators may offer to decrypt one or two files for free. The fraudsters may not indicate the amount of the ransom but may force the victims to contact them as soon as possible to save money. The ransom is usually requested to be paid with Bitcoins or some other type of untraceable cryptocurrency.

Expanding the distribution network

Note that the success of the Ransomware is strongly dependent on its ability to spread in different ways. It probably targets users by sending them spam emails. Although this method is less effective than operating tools or malicious scripts, hackers generally prefer it. The problem is that users are still falling for the same old tricks – they open attachments that congratulate consumers for a supposed prize winning or a letter informing them of an undelivered item. So if you’re not rational and careful, no antivirus program will save you from the Ransom_wcry.sm2 infection or the intrusion of other malware. Additionally, note that some hackers still use other old tactics: visiting an infected site may notice a false message reminding you to update Java or Adobe Flash Player, for instance. One wrong click is all it takes to catch the threat, so be attentive and don’t interact with content you don’t trust.

Ransom_wcry.sm2 Ransomware Removal



Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).



Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 


Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Drag and Drop Files Here to Scan
Maximum file size: 128MB.

This scanner is free and will always remain free for our website's users. You can find its full-page version at: https://howtoremove.guide/online-virus-scanner/

Scan Results

Virus Scanner Result

After you open their folder, end the processes that are infected, then delete their folders. 

After you open their folder, end the processes that are infected, then delete their folders. 

Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.


Hold the Start Key and R –  copy + paste the following and click OK:

notepad %windir%/system32/Drivers/etc/hosts

A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

hosts_opt (1)

If there are suspicious IPs below “Localhost” – write to us in the comments.

Type msconfig in the search field and hit enter. A window will pop-up:


Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

  • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.


To remove parasite, you may have to meddle with system files and registries. Making a mistake and deleting the wrong thing may damage your system.
Avoid this by using SpyHunter - a professional Parasite removal tool.

Keep in mind, SpyHunter’s malware & virus scanner is free. To remove the infection, you'll need to purchase its full version. More information about SpyHunter and steps to uninstall.

Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

Search for the ransomware  in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

Type each of the following in the Windows Search Field:

  1. %AppData%
  2. %LocalAppData%
  3. %ProgramData%
  4. %WinDir%
  5. %Temp%

Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!


How to Decrypt Ransom_wcry.sm2 files

We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

If the guide doesn’t help, download the anti-virus program we recommended or try our free online virus scanner. Also, you can always ask us in the comments for help!

How to deal with the infection?

To deal with Ransom_wcry.sm2 you basically have two options. One is to contact the hackers and fulfill their demands with the hope that they will be in a mood to send you the decryption key for your files. The other option is to remove the Ransomware from your system and seek for alternatives to save your data. Both options cannot promise you a complete recovery and they hide their risks, but still, giving a try to the alternatives is preferable to entering into negotiation with some anonymous cyber criminals that can easily trick you and vanish with your money.

So, if you don’t want to pay the ransom, (which you obviously don’t want to, since you are on this page) we would encourage you to use the instructions in the removal guide and remove Ransom_wcry.sm2 from your system. This is the first and most important step towards the recovery from the Ransomware attack. Such malicious software should not be underestimated as it may have some hidden functionality, which may still be operating on your PC. The fact that it has managed to penetrate the device and encrypt the files itself should keep you alert, that’s why keeping it on your system is not a good idea.

The recovery of the encrypted files is the next challenge. Once you have eliminated Ransom_wcry.sm2 and all of its traces, you can safely proceed with your file-restoration attempts. There are not many options for that but if you have backups, they are your savers and now is the time to use them. Don’t forget to check your cloud storage, external drives and other devices for copies of your files. Alternatively, you can also give the file-restoration instructions that we have included in the guide below a try. If nothing works, then you really may need the decryption key, but we would strongly discourage you from sponsoring the Ransomware creators with your money and would rather advise you to contact a security professional for assistance.


Name Ransom_wcry.sm2
Type Ransomware
Danger Level High (Ransomware is by far the worst threat you can encounter)
Symptoms Very few and unnoticeable ones before the ransom notification comes up.
Distribution Method From fake ads and fake system requests to spam emails and contagious web pages.
Data Recovery Tool Currently Unavailable
Detection Tool

Keep in mind, SpyHunter’s malware detection tool is free. To remove the infection, you’ll need to purchase the full version. More information about SpyHunter and steps to uninstall.


    • We advise you to visit our How to Decrypt Ransomware article, where you can find detailed information on how to determine the name of the virus.


Leave a Comment