This article aims to help you by showing how to completely remove Wallet CryptoMix(Solheim&Sørensen AS) ransomware and restore files encrypted with .wallet extension.
Another ransomware infection, also known as Solheim&Sørensen AS ransomware has been reported to use the .wallet file extenson, which is the same as the second iteration of Dharma ransomware virus with which this virus should not to be mistaken. This infection encrypts the files on the computers infected by it using the AES and RSA encryption algorithm after which demands a ransom payoff in BTC in it’s ransom note, named #_Restoring_files_#.txt. In case you have become a victim of the Wallet ransomware, advises are to pay attention to this article.
Threat Summary
| Name | Wallet | |
| Type | Ransomware | |
| Short Description | Encrypts important files on the infected computer asking a ransom to be paid for their decryption. | |
| Symptoms | Files no longer openable with an added .wallet extension and the e-mail [email protected] Also a ransom note file, named #_Restoring_files_#.txt | |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. | |
| Detection Tool |
See If Your System Has Been Affected by Wallet
Download Malware Removal Tool | |
| User Experience | Join our forum to Discuss Wallet. | |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Wallet Ransomware – Infection Process
The distribution of this virus in order to infect targeted victims may be conducted via several different methods:
Spam via e-mail containing either malicious e-mail attachment or web link that lead to infection.
- Via web injectors.
- Via fake updates of either Windows, Flash Player, Java or other important software.
- Via suspiciously downloaded setups that are joined with the malicious code.
- Via fake key generators, game cracks and other software activators uploaded on toerrent sites.
The most common method of spreading ransomware, like the Wallet variant, deriving from the CrypoMix family of viruses is known as e-mail spam. These sophisticated spam campaigns aim to be massively sent via spamming software to computers all over the world. They usually contain documents or executable files as attachments that are malicious. The users are deceived that the attachments are legitimate invoices, receipts and others. In order to learn how to protect yourself from such e-mails, we strongly advise reading the related article:
The Wallet Ransomware – Activity
Once your computer has been infected by the .wallet file virus, the malware causing the infection, which is usually a dropper or downloader Trojan, may download it’s payload. This is achievable by connecting to the following host after infection:
- 185.125.32.14/check/gif.php
The downloaded payload of the Wallet infection consists of a file, named monsendas.exe and it may also have multiple other files with various names, located in important Windows directories:
After having downloaded the payload, the Wallet virus may tamper with the Windows Registry editor, modifying the following sub-keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
In addition to this, Wallet ransomware may also focus on deleting the Shadow Volume Copies on the infected machine, by executing the following commands:
→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Wallet Ransomware – The Encryption
Similar to the Dharma .wallet ransomware, this version of CryptoMix may be focused on very specific files to encrypt. These files may include documents, videos, photos, audio files, files associated with archives and often used programs. The virus may scan for the following files to encode them:
The encryption process of the Wallet virus is achieved by performing modification on blocks of data of the files by replacing their original content with content from the encryption algorithm, similar to what the image below displays:
The encryption algorithms used for this are the following:
- Rivest-Shamir-Adleman also known as RSA with a bit strength of 2048. (strongest stable)t
- Advanced Encryption Algorithm also known as Rijndael with a bit strength of 256. (strongest stable)
After the encryption process has completed, set of decryption keys are generated, the private of which are sent to the cyber-criminals behind the Wallet ransomware infection. The files no longer appear the same:
The final step of the virus is to notify the victim via it’s ransom message:
All your files haue been encrypted!
All your files haue been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message *****
You haue to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information.
(databases, backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. Vou haue to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
http://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://wviw.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Remove Wallet Ransomware and Restore .wallet Files
Wallet ransomware is not to be mistaken with the Dharma version of the virus. This is why we recommend backing up your important files even if they are in encrypted format.
Then, an advisable approach for removing the Wallet virus is to focus on isolating the threat first after which removing it’s contents either manually or automatically. Malware research experts always advise using and advanced anti-malware software to perform the removal automatically and thoroughly.
For the moment there is no decrypter for the Wallet ransomware virus. However, you can try to get your files back by trying some of the alternative methods in step “2. Restore files encrypted by Wallet” below. They are not 100 percent effective, but may help restoring at least some of the encoded files. One of those methods is called data recovery, which can use revolutionary methods to restore damage data, such as the Forward Branch recovery method.
Manually delete Wallet from your computer
Note! Substantial notification about the Wallet threat: Manual removal of Wallet requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by Wallet on your PC.
Automatically remove Wallet by downloading an advanced anti-malware program
1. Install SpyHunter to scan for and remove Wallet.
Back up your data to secure it against infections and file encryption by Wallet in the future.
STOPZilla Anti Malware
