Types header

Name  Wallet Ransomware
Type Crytpo-Ransomware 
Short Description This ransomware belongs to the Crysis family. Once encrypted the extension of the encrypted files changes into .wallet extension.This was first noticed during the mid of November 2016. The ransom depends for decrypting this ransomware depends on the number of devices infected/compromised (if a whole organization is infected by this ransomware then the ransom amount surpasses a whooping amount of 7bitcoin which is around 5kUSD, the average amount differs between 1-2 BTC.
Distribution Method Phishing mails, Via exploit kit, Dll file attack, or drive by download.

wallet1 wallet2

More Details

The decryptor for this ransomware is now available. This belongs to the crisis family; this family has a history for releasing the master key for decryption when they switch to their next extension the master key was released for this ransomware in a very short time compared to other malware family types. There are various modes of propagation for this ransomware. Once this enter’s into the victim’s device is starts to scan for the targeted extensions and once this process is done it encrypts the files which makes the files either inaccessible or unusable. The researchers say that this ransomware uses AES and RSA encryption technique for encrypting the victim’s data. Once encrypted this ransomware changes the extension of the encrypted file into either. Dhramaor .wallet. Some of the researches claims that once the wallet ransomware compromises the victim’s device there are chances that it makes the victim’s device more vulnerable like making it vulnerable to remote attacks, identity theft. The working process of wallet is as followed:
Once it successfully enters the victim’s device this starts performing various activities such as scanning targeted files and other tasks. Basically, it starts to create several objects in the register editor of windows. This helps this ransomware infection run automatically in the victim’s device. This variant takes the similar approach to the Crysis XTBL virus when coming to the structure for the encryption. Some of the targeted folders for the first phase are %appdata%, %temp%, %Common%, %{User’s profile}%, %system32%. Once these are done it scans and encrypts the files. This ransomware also deletes the shadow copy files in windows which leaves the victim no other option either to pay the demanded ransom or the format the device. Some of the targeted extensions are as given


After encrypting the files this ransomware changes the desktop wallpaper of the victim notifying that the victim’s device in infected with this ransomware. This also drops some .txt format files such as Readme.txt which explains process for the victim how to pay the ransom. The decryptor for this ransomware is now available. Go to the decryptor section in this website for more details.

For decryptors link refer: http://vinransomware.com/detection-and-decryption-tools