CryptoMix Ransomware Using the Wallet Extension

2May - by Dawood Khan - 0 - In News

A new CryptoMix, or CryptFile2, variant was released that is now using the [payment_email].ID[VICTIM_16_CHAR_ID].WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because of the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently, payment email addresses are,, and

How to Run Android Apps on Windows Running Android apps usually requires an Android smartphone or tablet — obviously! — but what if you currently use iOS and want to try Android without actually getting an Android device? Android Studio One popular way to get Android apps running on a PC is to go through the A...

This variant was discovered by independent security researcher R0bert R0senb0rg and later identified as CryptoMix by MalwareHunterTeam. I decided to take a look at the sample and take a deeper dive to see what has changed since the previous Revenge variant was released.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

How the Wallet Ransomware Encrypts a Victim's Files

Unfortunately, at this time we have no knowledge as to how the Wallet Ransomware is currently being distributed. What we do know is that once the executable is started, it will generate a unique 16 hexadecimal victim ID and an encryption key on the computer and then send this information back to the Command & Control server.

It will then begin to scan the computer for files to encrypt. Unlike most ransomware infections and the previous Revenge version, this version does not target specific extensions, but rather encrypts any files it detects as long as they are not located in certain whitelisted folders. The list of whitelisted folders are:


GPAA Ransomware Shows the Depravity of Some Ransomware Developers I have been following ransomware since they first started becoming popular in 2012 (ACCDFISA) and 2013 (CryptoLocker). For the most part, ransomware developers create generic ransom notes that provide information as to what has happened and payment instructions on how to get file...

When Wallet encrypts a file it will do so using AES encryption and then rename the encrypted file. When renaming the file, it will ROT-13 the original file name and then append the.[SHIELD0@USA.COM].ID[VICTIM_16_CHAR_ID].WALLET , or [].ID[VICTIM_16_CHAR_ID].WALLET , or  [].ID[VICTIM_16_CHAR_ID].WALLET extensions, depending on the variant, to the encrypted filename.

For example, a file called test.jpg would be encrypted and renamed as grfg.wct.[SHIELD0@USA.COM].ID[1111111111111111].WALLET .

Note: Wallet will also scan unmapped network shares for files to encrypt. Therefore, be sure to lock down your network by securing network shares so only those that need to can write to the shares.

In each folder that Wallet encrypts a file, it will also create a ransom note named #_RESTORING_FILES_#.TXT. Unlike older versions of CryptoMix, this variant does not create an HTML version of the ransom note.

Wallet will then display a fake alert that states:

The instruction at 0xe9c71f6c referenced memory at 0x00000000C. The memory could not be read.

Beware! Over 800 Android Apps on Google Play Store Contain ‘Xavier’ ... Over 800 different Android apps that have been downloaded millions of times from Google Play Store found to be infected with malicious ad library that silently collects sensitive user data and can perform dangerous operations.Dubbed "Xavier," the malicious ad library, initial...

Click on Yes in the next window for restore work explorer.exe.

Like the fake alert in Revenge, the broken English in the Wallet alert should give the victim's a hint that this alert is not legitimate.

Fake Explorer.exe - Application Error Alert

When the victim presses the OK button, the ransomware will use WMIC to launch an elevated version of the ransomware in order to execute bcdedit and to remove the volume shadow copies. This will cause a UAC, or User Account Control, prompt to appear like below. The above fake alert is used to try and convince the victim to press Yes at the below UAC prompt.

UAC Prompt for the Launch of the SmartScreen.exe Executable

The victim will continue to see this fake alert until they press the Yes button at the UAC prompt. Once they do so, the ransomware will execute the following commands that disable the Windows startup recovery and to clear the Windows Shadow Volume Copies.

cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:WindowsSystem32cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet

Finally, the Wallet Ransomware will display a ransom note called #_RESTORING_FILES_#.TXT.

Text Ransom Note

This ransom note contains information regarding what happened to your files, a personal identification ID, and an email addresses that can be used to contact the ransom developer for payment instructions. The current email addressses that have been seen with this variant are,, and Finally, the developer is currently offering 5 free decryptions to prove that they can actually decrypt files.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

Leave a Reply

Your email address will not be published. Required fields are marked *