CryptoMix Ransomware Using the Wallet Extension

2May - by Dawood Khan - 0 - In News

A new CryptoMix, or CryptFile2, variant was released that is now using the [payment_email].ID[VICTIM_16_CHAR_ID].WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because of the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently, payment email addresses are,, and

U.S. foreign intelligence surveillance requests has more than doubled Microsoft Corp (MSFT.O) said on Thursday it had received at least a thousand surveillance requests from the U.S. government that sought user content for foreign intelligence purposes during the first half of 2016.The scope of spying authority granted to U.S. intelligence agen...

This variant was discovered by independent security researcher R0bert R0senb0rg and later identified as CryptoMix by MalwareHunterTeam. I decided to take a look at the sample and take a deeper dive to see what has changed since the previous Revenge variant was released.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

How the Wallet Ransomware Encrypts a Victim's Files

Unfortunately, at this time we have no knowledge as to how the Wallet Ransomware is currently being distributed. What we do know is that once the executable is started, it will generate a unique 16 hexadecimal victim ID and an encryption key on the computer and then send this information back to the Command & Control server.

It will then begin to scan the computer for files to encrypt. Unlike most ransomware infections and the previous Revenge version, this version does not target specific extensions, but rather encrypts any files it detects as long as they are not located in certain whitelisted folders. The list of whitelisted folders are:


More Stolen NSA Hacking Tools & Exploits Released by Shadow Brokers Group A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.Besides dumping some NSA's hacking tools back in August 2...

When Wallet encrypts a file it will do so using AES encryption and then rename the encrypted file. When renaming the file, it will ROT-13 the original file name and then append the.[SHIELD0@USA.COM].ID[VICTIM_16_CHAR_ID].WALLET , or [].ID[VICTIM_16_CHAR_ID].WALLET , or  [].ID[VICTIM_16_CHAR_ID].WALLET extensions, depending on the variant, to the encrypted filename.

For example, a file called test.jpg would be encrypted and renamed as grfg.wct.[SHIELD0@USA.COM].ID[1111111111111111].WALLET .

Note: Wallet will also scan unmapped network shares for files to encrypt. Therefore, be sure to lock down your network by securing network shares so only those that need to can write to the shares.

In each folder that Wallet encrypts a file, it will also create a ransom note named #_RESTORING_FILES_#.TXT. Unlike older versions of CryptoMix, this variant does not create an HTML version of the ransom note.

Wallet will then display a fake alert that states:

The instruction at 0xe9c71f6c referenced memory at 0x00000000C. The memory could not be read.

Google Patches 6 Critical Android Mediaserver Bugs Google has released its monthly security patches for Android this week, addressing 17 critical vulnerabilities, 6 of which affect Android Mediaserver component that could be used to execute malicious code remotely.Besides patches for Mediaserver, Google also fixed 4 critical ...

Click on Yes in the next window for restore work explorer.exe.

Like the fake alert in Revenge, the broken English in the Wallet alert should give the victim's a hint that this alert is not legitimate.

Fake Explorer.exe - Application Error Alert

When the victim presses the OK button, the ransomware will use WMIC to launch an elevated version of the ransomware in order to execute bcdedit and to remove the volume shadow copies. This will cause a UAC, or User Account Control, prompt to appear like below. The above fake alert is used to try and convince the victim to press Yes at the below UAC prompt.

UAC Prompt for the Launch of the SmartScreen.exe Executable

The victim will continue to see this fake alert until they press the Yes button at the UAC prompt. Once they do so, the ransomware will execute the following commands that disable the Windows startup recovery and to clear the Windows Shadow Volume Copies.

cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:WindowsSystem32cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet

Finally, the Wallet Ransomware will display a ransom note called #_RESTORING_FILES_#.TXT.

Text Ransom Note

This ransom note contains information regarding what happened to your files, a personal identification ID, and an email addresses that can be used to contact the ransom developer for payment instructions. The current email addressses that have been seen with this variant are,, and Finally, the developer is currently offering 5 free decryptions to prove that they can actually decrypt files.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

Leave a Reply

Your email address will not be published. Required fields are marked *