.Wallet Ransomware

[Faraz 0]

Hi,

i have been using NOD32 antivirus with updated virus signature but still our systems were affected.

all the files are showing .wallet extensions. I have tried eset's decryptor but it doesn't help as it is showing below error in logs.

[2017.12.24 14:56:11.953] - INFO: Cleaning file [E:\EAP\Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.wallet]
[2017.12.24 14:56:11.953] - INFO: Can't get header for file.
[2017.12.24 14:56:11.953] - INFO: Can't get info from file.
[2017.12.24 14:56:11.953] - ERROR: Not cleaned.

Can anyone help me on this.

Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.rar

[Marcos 5,074]

It was likely an older Filecoder.Crysis that encrypted the files. That said, you probably either don't have ESET configured properly (e.g. some users inadvertently exclude typical malware locations from scanning), or an attacker managed to guess or bruteforce a U/P, remoted in, disabled ESET and then ran the ransomware.

This decoder should work for ".wallet" files: https://support.eset.com/kb6274/

[Faraz 0]

Hi Marcos,

already tried this. it is unable to recover. you can see the attached giving error.

 

16 hours ago, Marcos said:

It was likely an older Filecoder.Crysis that encrypted the files. That said, you probably either don't have ESET configured properly (e.g. some users inadvertently exclude typical malware locations from scanning), or an attacker managed to guess or bruteforce a U/P, remoted in, disabled ESET and then ran the ransomware.

This decoder should work for ".wallet" files: https://support.eset.com/kb6274/

 

[Marcos 5,074]

If you have a paid version of ESET, email several encrypted Office documents along with the log from the decoder and logs from ESET Log Collector to samples[at]eset.com.

[safety 8]

Quote

[2017.12.24 14:56:11.953] - INFO: Cleaning file [E:\EAP\Guest_home_page.jpg.[6etc0in@cock.li]-id-2ABC.wallet]

@Marcos

this is most likely BTCWare.

https://id-ransomware.malwarehunterteam.com/identify.php?case=2877613b7a7ce3420fe5a415bc24e7d190472452

 

Quote

 

This ransomware has no known way of decrypting data at this time.
It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

• sample_extension: .[<email>]-id-<id>.wallet

 

 

 

 

The .WALLET extension has been used by several ransomwares to include CryptoMix Wallet Ransomware, Dharma (CrySiS) Ransomware, BTCWare.wallet and Sanctions Ransomware which does not contain the standard Dharma/Crysis file markers.

• .[<email>].ID.<16 random hexadecimal character ID>.WALLET (i.e. ,[ADMIN@HOIST.DESI].ID[DF1866CB3A6F9701].WALLET) = CryptoMix
• .id-<8 random hexadecimal characters>.[<email>].wallet (i.e. .id-480EB957.[legionfromheaven@india.com].wallet) = Dharma (CrySiS)
• .[<email>]-id-[4 random hexadecimal characters>.wallet (i.e. .[amagnus@india.com]-id-37DC.wallet) = BTCWare AES-256
• .filename.[extension].wallet = Sanctions

https://www.bleepingcomputer.com/forums/t/601084/unblockedemailsututaio-ransomware-support-topic-how-to-decrypt-filestxt/page-10#entry4418219

Edited January 8, 2018 by safety

[novice 20]

On ‎12‎/‎25‎/‎2017 at 6:02 AM, Marcos said:

If you have a paid version of ESET

I do not understand; could he be an "unpaid" version of ESET?????

What happened with the "dedicated" antiransomware module in version 11????

Edited January 8, 2018 by John Alex

[itman 1,659]

4 hours ago, John Alex said:

do not understand; could he be an "unpaid" version of ESET?????

Trial version.

[itman 1,659]

Referring back to the screen shot posted on Dec. 25, I only see files encrypted in C:\Users\Public subdirectories. Were any files encrypted in other directories?