This morning a newly registered member posted the master decryption keys for the Wallet Ransomware in the BleepingComputer.com forums. This post was created at 9:13 AM EST by a member named lightsentinelone in the Dharma Ransomware Support Topic and contained a Pastebin link.
This Pastebin post contains a C header file that includes 198 decryption keys that have been confirmed to valid and have been used by security researchers to create a Wallet Ransomware decryptor.
This ransomware is fairly wide spread as you can see below, so you can imagine that with the release of this decryptor, many of the victims have happily posted that the decryptor has recovered their files.
With this said, if you ever get infected with ransomware and have no intention of paying, always be sure to store your encrypted files in a safe place in the event a decryptor is released in the future.
If anyone needs help using this decryptor or runs into a problem, please let us known in the dedicated Dharma Ransomware Help & Support Topic.
Update 5/19/17: Kaspersky has also released an updated RakhniDecryptor that can decrypt Wallet ransomware encrypted files.
The Crysis family of ransomware, which Wallet is part of, have made it a habit of releasing the master decryption keys for previous variants when they switch to a new extension. For example, on November 14, 2016 the Crysis master decryption keys were released on BC, on March 1st, 2017 the Dharma keys were released on BC, and now today we have the Wallet keys being released.
As this ransomware family recently switched to using the .onion extension, it is not surprising that we are seeing the keys for the previous version released.
While this shows a pattern that the ransomware developers use, it does not explain why they are releasing the keys. It could be that they do it out of good will and because by this point, anyone who was going to pay the ransomware, would have paid already. Therefore, it does not hurt their bottom line to release the keys and only makes them look better to those who were affected.
Hopefully this behavior will be emulated by other ransomware developers who may be willing to release keys for older versions that they will no longer generate revenue from.
Update 5/20/17: Looks like the master decryption keys that were released also decrypt some of those who are infected with the .onion variant. Therefore, if you have files encrypted that contain the .onion extension, you should try to use this decryptor as it may work on your files.
Victims of the Wallet ransomware can be identified by their files being encrypted and renamed to the format of [filename].[email].wallet. For example, a recent variant would have a file named test.jpg renamed and encrypted as test.jpg.[firstname.lastname@example.org].wallet.
You can see an example of a folder of encrypted files below:
To decrypt files encrypted by the Wallet ransomware, you need to first download Avast's Crysis Decryptor from here: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe.
Once downloaded, double-click on the program and the main screen will be displayed.
Before starting, you need to make sure that you are using version 18.104.22.168, which supports the keys released today for the Wallet ransomware. To check the version of the decryption tool, you can look in the title bar of the program as seen in the image above. If you are using the correct version, click on the Next button to continue.
You will now be at a screen asking you to add any drives that you wish to scan for encrypted files and to decrypt.
At the above screen add any drives that may not be already selected and then click on the Next button.
You will now be at a screen where you can select various options as to how the decryptor will function.
Leave both options checked and click on the Decrypt button to begin decrypting your files. As you will be running the decryptor as an Administrator, you will receive a UAC prompt asking if you would like to continue. It is safe to click Yes at this prompt.
The decryptor will begin scanning the selected drives and will decrypt any encrypted files that are detected.
This process can take quite a long time, so please be patient while it scans your computer and decrypts the files. To give you an idea of how long it may take, my test computer has very few files on it and it took over 30 minutes For a computer that has many files, especially large ones, the process will take much longer.
When finished the decryptor will display summary page showing how many files have been decrypted.
Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted Wallet files into one folder so you can delete or archive them.
You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our Dharma Ransomware Help & Support Topic.
email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com Cryptime@india.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com HelpRobert@gmx.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org MKKitana@india.com Mkliukang@india.com email@example.com firstname.lastname@example.org MKSmoke@india.com email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org