News

New version of the CryptoMix Ransomware Using the Wallet Extension

May 2, 2017

A new CryptoMix, or CryptFile2, variant was released that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET​ extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it., and This email address is being protected from spambots. You need JavaScript enabled to view it..

This variant was discovered by independent security researcher R0bert R0senb0rg and later identified as CryptoMix by MalwareHunterTeam. I decided to take a look at the sample and take a deeper dive to see what has changed since the previous Revenge variant was released.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

As a note, in this article I will be referring to this infection as the Wallet Ransomware as that will most likely be how the victim's will search for it. It is important to remember, though, that this ransomware is not a brand new infection, but rather just a new version of the CryptoMix ransomware family.

Update: 5/1/17 5:03PM EST - Updated the article a bit to include another payment email address provided by xXToffeeXx.

How the Wallet Ransomware Encrypts a Victim's Files

Unfortunately, at this time we have no knowledge as to how the Wallet Ransomware is currently being distributed. What we do know is that once the executable is started, it will generate a unique 16 hexadecimal victim ID and an encryption key on the computer and then send this information back to the Command & Control server.

It will then begin to scan the computer for files to encrypt. Unlike most ransomware infections, and the previous Revenge version, this version does not target specific extensions, but rather encrypts any files it detects as long as they are not located in certain whitelisted folders. The list of whitelisted folders are:
ransom1When Wallet encrypts a file it will do so using AES encryption and then rename the encrypted file. When renameing the file, it will ROT-13 the original file name and then append the  .[This email address is being protected from spambots. You need JavaScript enabled to view it.].ID[VICTIM_16_CHAR_ID].WALLET​, or [This email address is being protected from spambots. You need JavaScript enabled to view it.].ID[VICTIM_16_CHAR_ID].WALLET​, or  [This email address is being protected from spambots. You need JavaScript enabled to view it.].ID[VICTIM_16_CHAR_ID].WALLET ​extensions, depending on the variant, to the encrypted filename.

For example, a file called test.jpg would be encrypted and renamed as grfg.wct.[This email address is being protected from spambots. You need JavaScript enabled to view it.].ID[1111111111111111].WALLET​.
ransom9
In each folder that Wallet encrypts a file, it will also create a ransom note named #_RESTORING_FILES_#.TXT. Unlike older versions of CryptoMix, this variant does not create a HTML version of the ransom note.

encrypted filesEncrypted Files and Ransom Note

Wallet will then display a fake alert that states:
ransom9
Like the fake alert in Revenge, the broken English in the Wallet alert should give victim's a hint that this alert is not legitimate.

fake alertFake Explorer.exe - Application Error Alert

When the victim presses the OK button, the ransomware will use WMIC to launch an elevated version of the ransomware in order to execute bcdedit and to remove the volume shadow copies. This will cause a UAC, or User Account Control, prompt to appear like below. The above fake alert is used to try and convince the victim to press Yes at the below UAC prompt.
elevated launchUAC Prompt for the Launch of the SmartScreen.exe Executable

The victim will continue to see this fake alert until they press the Yes button at the UAC prompt. Once they do so, the ransomware will execute the following commands that disable the Windows startup recovery and to clear the Windows Shadow Volume Copies.
ransom2Finally, the Wallet Ransomware will display a ransom note called #_RESTORING_FILES_#.TXT.
ransom noteText Ransom Note

This ransom note contains information regarding what happened to your files, a personal identification ID, and an email addresses that can be used to contact the ransom developer for payment instructions. The current email addressses that have been seen with this variant are This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., and This email address is being protected from spambots. You need JavaScript enabled to view it.. Finally, the developer is currently offering 5 free decryptions to prove that they can actually decrypt files.

Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.

File Associated with the Wallet Ransomware Variant:
ransom3

Wallet Ransomware Hashes:
ransom4Wallet Ransomware Network Communication:
ransom5

Wallet Ransomware Associated Emails:
ransom6

Example Wallet Ransom Note Text:
ransom7

Fake Explorer.exe Alert Text:

ransom8

News Courtesyhttps://www.bleepingcomputer.com/news/security/new-version-of-the-cryptomix-ransomware-using-the-wallet-extension/