Jump to content

.wallet file ransomware virus


hungtt

Recommended Posts

  • Administrators

Files with the .wallet extension are legitimate files encrypted by Filecoder.Crysis and therefore are not subject to detection. Decryption will not be possible.

You can pm me the output from ESET Log Collector according to the instructions in my signature for a review.

Link to comment
Share on other sites

  • Administrators

Files were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. Both logs show a problem with LiveGrid, therefore I'd recommend testing LiveGrid's functionality by downloading the CloudCar test file which should be detected as Suspicious object.

Also payment instructions were not enclosed. If possible, please re-send.

Link to comment
Share on other sites

Hi Marcos !

As I know, when install eset, LiveGrid will be enable during setup process.

Can you check the root cause  in client's log ? Because my system have 130 clients, just this 2 clients have infected this rasomware.

Link to comment
Share on other sites

  • Administrators

Let's start with temporarily changing logging verbosity to Diagnostics (Tools -> Log files -> Minimum logging verbosity). The re-download CloudCar. When done, send me "C:\ProgramData\ESET\ESET File Security\Logs\warnlog.dat" and change the logging verbosity back to Informative.

Link to comment
Share on other sites

15 hours ago, Marcos said:

Files were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. Both logs show a problem with LiveGrid, therefore I'd recommend testing LiveGrid's functionality by downloading the CloudCar test file which should be detected as Suspicious object.

Also payment instructions were not enclosed. If possible, please re-send.

I just observed some interesting behavior in regard to the Clouldcar test using IE11.

Download attempt is detected by Eset. However, I additionally get a SmartScreen popup that occurs for any download.

1. If I exit the web page at this point, no trace of Clouldcar test file in the Downloads folder.

2. If I click on Save in the SmartScreen popup, SmartScreen detects the download and blocks it as malicious. Examination of the Downloads folder shows a null Cloudcar file created as shown in the below screen shot.

This implies to me that the Clouldcar file is still in the browser buffer and the download not fully blocked by Eset. Something to check out.

Cloudcar.png

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...