Severity scale:  
  (99/100)

Wallet ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - -   Also known as Dharma | Type: Ransomware
12

Files with .wallet extension can be decrypted for free

Wallet ransom note 

Wallet ransomware belongs to the group of Dharma and Crysis ransomware. The file-encrypting virus[1] uses AES and RSA[2] cryptography and appends either .wallet or .wallet.lock extension to targeted data. But victims can restore their files using free decryption software. However, not all .wallet files can be decrypted. Developers of BTCWare decided to use the same extension in December 2017.

Hackers standing behind Crysis and Dharma ransomware families are known for releasing decryption keys for old variants of the malware, as soon as they start using a new file extension to distort users’ data. Thus, there’s no surprise that 198 master decryption keys were published[3] as soon as ransomware family started using .onion file extension.

However, victims who have their files locked with [filename].[email].wallet extension can restore files with free Wallet decryptor created by Avast. However, before using this tool, users should remove Wallet ransomware from the device using Reimage or another malware elimination program.

Developers of BTCWare started using .wallet file extension

Security researchers reported that a new version of BTCWare ransomware started using .[paydayz@cock.li]-id-11B0.wallet file extension to encrypt files on the targeted computer. However, the free Avast decryptor won’t help to restore files corrupted by this virus.

It’s not the first time when authors of the malware use .wallet file extension too. GlobeImposter and CryptoMix viruses were also using the same extension. However, these ransomware families use different filename patterns.

However, if you ever find .wallet extension appended to your files, you have to check which malware family attacked your device by checking provided contact email address and reading provided ransom note.

Operation of the Wallet ransomware virus

Once the Wallet virus is deployed on the system, it activates its malicious executable which then initiates system scan of the entire computer. During the scan, the virus searches for specific file extensions that are mainly related to user’s documents, media files, archives, etc.[4]

When located, these files are encrypted right away and marked with [email address].wallet or [email address].wallet.lock file extensions. Usually, they feature extortionists email addresses that should be used to contact them. They are known for using 358 different email addresses, including:

  • Mmk.scorpion@aol.com,
  • orlegionfromheaven@india.com,
  • destroed_total@aol.com,
  • stopper@india.com,
  • bitcoin143@india.com,
  • mkgoro@india.com,
  • mkliukang@india.com,
  • lavandos@dr.com.

Besides, the virus changes the desktop image with a ransom note presenting file recovery instructions. Here is a transcript of the note:

“//hallo, our dear friend!
//looks like you have some troubles with your security.
//all your files are now encrypted.
//using third-party recovering software will corrupt your data.
//you have only one way to get them back safely – using our decryption tool.
//to get original decryption tool contact us with email. in subject like write your ID, which you can find in name of every crypted file, also attach to email 3 crypted files.
lavandos@dr.com
//it is in your interest to respond as soon as possible to ensure the restoration of your files, because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security.
//P.S. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address.
amagnus@india.com

Because of the clumsy syntactic constructions and spelling mistakes, it becomes obvious that the hackers behind the virus are non-native English speakers[5]. Nevertheless, their targets are users who speak the language and can understand the situation.

While further instructions of data recovery are given only after contacting the criminals directly, we can presume that criminals demand the victims to pay a set amount of ransom in Bitcoins and make the transaction via the anonymous Tor network.

However, doing it is not needed because the virus is decryptable and you can get back access to your files for free after Wallet ransomware removal. However, once your files are decrypted, you should also make backups in order to protect your data from other crypto-malware that might hijack your device anytime. 

Versions of Wallet virus

Joker_lucker@aol.com ransomware is one of many versions of Wallet ransomware virus which relies on AES and RSA encryption algorithms. These algorithms have been used to encrypt word, pdf, excel and similar files, and make them inaccessible. You can separate files encrypted by Joker_lucker@aol.com virus or other ransomware by looking at their extensions.

This email address has been used by hackers to mark the target files and warn the victims that they won't be capable of using them. If infected, you can restore your files from backup. According to hackers, you should buy a special decryption key which is sent to them via Command & Control servers as soon as they finish the encryption process. Please, do NOT act according to hackers' needs as they can leave you with nothing!

Mk.scorpion@aol.com ransomware virus can encrypt the most of your files which are saved on your computer. It acts just like its previous versions that start asking the ransom right after finishing the encryption process. Typically, this ransomware leaves .[Mk.scorpion@aol.com].wallet file extension to the corrupted files and also drops README.txt file which is supposed to inform the victim about files' recovery. 

However, the recovery steps given by Mk.scorpion@aol.com ransomware are not as detailed as the ones provided by other ransomware authors. However, you should not consider the idea of making a payment to cybercriminals.

Developers rely on malicious spam emails to spread ransomware

Just like the original virus version, Wallet ransomware uses phishing [6] to enter computers. Mostly, scammers rely on spam campaigns to deliver infected files to the potential victims directly into their inboxes. All that the user has to do is download a file attached to a convincing looking email and the virus is let loose.

Today, there are still numerous computer users who fall into such traps. It is hard to blame them because hackers always apply advanced social engineering skills to make victims believe they must download supposed plane tickets, invoice or billing documents.

This only teaches us that we should not take every email for granted, even if it is received from some reputable organization or government institution. You should always check your mail before opening it and prevent Wallet ransomware from encrypting your files.

Wallet ransomware removal instructions

Ransomware is one of the leading viruses considering its complexity and impact on the system. Having this in mind, it would be naive to expect easy Wallet removal either. Of course, there are tools using which ransomware elimination may be incomparably less difficult.

A thorough system scan with professional anti-malware utilities (e.g. Reimage or Malwarebytes Anti Malware) will not take you longer than10 minutes and after it is done, you will be able to use your computer normally again. Don’t worry if you will fail to remove Wallet virus in first go. Nobody said the virus won’t fight back when you try to exterminate it. Just go to the end of the article where we provide decontamination instructions and follow them carefully.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Wallet ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Wallet ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Wallet virus Removal Guide:

Remove Wallet using Safe Mode with Networking

Wallet removal will go smoother if you carry it out while your device is in Safe Mode. Below you will find instructions on how to boot your PC in this particular mode.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Wallet

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Wallet removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Wallet using System Restore

To ensure smooth ransomware removal, you will need to put some extra work and decontaminate the virus which you will do by following the steps provided below. Just don't forget to scan your device automatically afterwards!

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Wallet. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Wallet removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Wallet from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Wallet, you can use several methods to restore them:

Decrypt files encrypted by Wallet virus easily with Data Recovery Pro

After you eliminate the ransomware from your computer, do not forget to decrypt your data, too! Try out Data Recovery Pro for an automatic recovery.

When is the Windows Previous Versions feature helpful in recovering data?

Windows Previous Versions feature is a convenient and effective way of recovering encrypted data. Nevertheless, this feature will only be helpful if you had System Restore function enabled before the virus attacked your PC. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a good choice for the recovery of files encrypted by Wallet ransomware

ShadowExplorer is a software that uses Volume Shadow Copies of encrypted files to recover them. This recovery method will only work if Volume Shadow Copies are not damaged or deleted by the virus.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Wallet Decryptor

In order to use Avast Crysis Decryptor and restore files that have .wallet file extension, you should follow these steps:

1. Download the program from here.

2. When the download completes, double-click the program and open it.

3. Make sure that you have downloaded the 1.0.103.0 version of the program because only it can restore files.

4. On the main screen of the program click “Next” button.

5. In the appeared screen you need to choose locations and drivers that include encrypted files that you want to decrypt. Once you choose them, click “Next.”

6. In the next window make sure you have checked both options “Backup encrypted files” and “Run the decryption process as an administrator.”

7. Click “Decrypt” button.

8. In the popped up User Account Control prompt click “Yes” in order to continue the decryption process.

The program will start system scan and data decryption procedure. Be patient, this process might take more than 30 minutes. The more files you have stored on the device, the more time decryption will take. Once this procedure is over, the program will provide “Decryption Complete” window.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Wallet and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References

Removal guides in other languages