Jump to content

.Wallet Ransomware


Faraz
 Share

Recommended Posts

Hi,

i have been using NOD32 antivirus with updated virus signature but still our systems were affected.

all the files are showing .wallet extensions. I have tried eset's decryptor but it doesn't help as it is showing below error in logs.

[2017.12.24 14:56:11.953] - INFO: Cleaning file [E:\EAP\Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.wallet]
[2017.12.24 14:56:11.953] - INFO: Can't get header for file.
[2017.12.24 14:56:11.953] - INFO: Can't get info from file.
[2017.12.24 14:56:11.953] - ERROR: Not cleaned.

Can anyone help me on this.

Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.rar

Link to comment
Share on other sites

  • Administrators

It was likely an older Filecoder.Crysis that encrypted the files. That said, you probably either don't have ESET configured properly (e.g. some users inadvertently exclude typical malware locations from scanning), or an attacker managed to guess or bruteforce a U/P, remoted in, disabled ESET and then ran the ransomware.

This decoder should work for ".wallet" files: https://support.eset.com/kb6274/

Link to comment
Share on other sites

Hi Marcos,

already tried this. it is unable to recover. you can see the attached giving error.

 

16 hours ago, Marcos said:

It was likely an older Filecoder.Crysis that encrypted the files. That said, you probably either don't have ESET configured properly (e.g. some users inadvertently exclude typical malware locations from scanning), or an attacker managed to guess or bruteforce a U/P, remoted in, disabled ESET and then ran the ransomware.

This decoder should work for ".wallet" files: https://support.eset.com/kb6274/

 

Untitled.png

Link to comment
Share on other sites

  • Administrators

If you have a paid version of ESET, email several encrypted Office documents along with the log from the decoder and logs from ESET Log Collector to samples[at]eset.com.

Link to comment
Share on other sites

  • 2 weeks later...
Quote

[2017.12.24 14:56:11.953] - INFO: Cleaning file [E:\EAP\Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.wallet]

@Marcos

this is most likely BTCWare.

https://id-ransomware.malwarehunterteam.com/identify.php?case=2877613b7a7ce3420fe5a415bc24e7d190472452

 

Quote

 

This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_extension: .[<email>]-id-<id>.wallet

 

 

 

 

The .WALLET extension has been used by several ransomwares to include CryptoMix Wallet Ransomware, Dharma (CrySiS) Ransomware, BTCWare.wallet and Sanctions Ransomware which does not contain the standard Dharma/Crysis file markers.

  • .[<email>].ID.<16 random hexadecimal character ID>.WALLET (i.e. ,[ADMIN@HOIST.DESI].ID[DF1866CB3A6F9701].WALLET) = CryptoMix
  • .id-<8 random hexadecimal characters>.[<email>].wallet (i.e. .id-480EB957.[legionfromheaven@india.com].wallet) = Dharma (CrySiS)
  • .[<email>]-id-[4 random hexadecimal characters>.wallet (i.e. .[amagnus@india.com]-id-37DC.wallet) = BTCWare AES-256
  • .filename.[extension].wallet = Sanctions

https://www.bleepingcomputer.com/forums/t/601084/unblockedemailsututaio-ransomware-support-topic-how-to-decrypt-filestxt/page-10#entry4418219

Edited by safety
Link to comment
Share on other sites

On ‎12‎/‎25‎/‎2017 at 6:02 AM, Marcos said:

If you have a paid version of ESET

I do not understand; could he be an "unpaid" version of ESET?????

What happened with the "dedicated" antiransomware module in version 11????

Edited by John Alex
Link to comment
Share on other sites

Referring back to the screen shot posted on Dec. 25, I only see files encrypted in C:\Users\Public subdirectories. Were any files encrypted in other directories?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...