This morning a newly registered member posted the master decryption keys for the Wallet Ransomware in the BleepingComputer.com forums. This post was created at 9:13 AM EST by a member named lightsentinelone in the Dharma Ransomware Support Topic and contained a Pastebin link.

BleepingComputer.com post about Wallet Keys being Released
BleepingComputer.com post about Wallet Keys being Released

This Pastebin post contains a C header file that includes 198 decryption keys that have been confirmed to valid and have been used by security researchers to create a Wallet Ransomware decryptor.

This ransomware is fairly wide spread as you can see below, so you can imagine that with the release of this decryptor, many of the victims have happily posted that the decryptor has recovered their files.

Dharma Heat Map
Dharma Heat Map. Source: https://id-ransomware.malwarehunterteam.com/

With this said, if you ever get infected with ransomware and have no intention of paying, always be sure to store your encrypted files in a safe place in the event a decryptor is released in the future.

 If anyone needs help using this decryptor or runs into a problem, please let us known in the dedicated Dharma Ransomware Help & Support Topic.

Update 5/19/17: Kaspersky has also released an updated RakhniDecryptor that can decrypt Wallet ransomware encrypted files.

Why did the Wallet Ransomware Developers Release The Decryption Keys?

The Crysis family of ransomware, which Wallet is part of, have made it a habit of releasing the master decryption keys for previous variants when they switch to a new extension. For example, on November 14, 2016 the Crysis master decryption keys were released on BC, on March 1st, 2017 the Dharma keys were released on BC, and now today we have the Wallet keys being released.

As this ransomware family recently switched to using the .onion  extension, it is not surprising that we are seeing the keys for the previous version released.

While this shows a pattern that the ransomware developers use, it does not explain why they are releasing the keys. It could be that they do it out of good will and because by this point, anyone who was going to pay the ransomware, would have paid already. Therefore, it does not hurt their bottom line to release the keys and only makes them look better to those who were affected.

Hopefully this behavior will be emulated by other ransomware developers who may be willing to release keys for older versions that they will no longer generate revenue from. 

How to Decrypt Wallet, and maybe Onion, Encrypted Files Using the Avast Decryption Tool for Crysis

Update 5/20/17: Looks like the master decryption keys that were released also decrypt some of those who are infected with the .onion variant. Therefore, if you have files encrypted that contain the .onion extension, you should try to use this decryptor as it may work on your files.

Victims of the Wallet ransomware can be identified by their files being encrypted and renamed to the format of [filename].[email].wallet. For example, a recent variant would have a file named test.jpg renamed and encrypted as test.jpg.[destroed_total@aol.com].wallet.

You can see an example of a folder of encrypted files below:

Wallet Encrypted Files
Wallet Encrypted Files

I have also included a full list of email address thanks to Michael Gillespie of ID-Ransomware at the end of this article.

To decrypt files encrypted by the Wallet ransomware, you need to first download Avast's Crysis Decryptor from here: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe.

Once downloaded, double-click on the program and the main screen will be displayed.

Avast Decryption Tool for Crysis
Avast Decryption Tool for Crysis

Before starting, you need to make sure that you are using version 1.0.103.0, which supports the keys released today for the Wallet ransomware. To check the version of the decryption tool, you can look in the title bar of the program as seen in the image above. If you are using the correct version, click on the Next button to continue.

You will now be at a screen asking you to add any drives that you wish to scan for encrypted files and to decrypt. 

Select Drives Screen
Select Drives Screen

At the above screen add any drives that may not be already selected and then click on the Next button.

You will now be at a screen where you can select various options as to how the decryptor will function.

Decryption Options Screen
Decryption Options Screen

Leave both options checked and click on the Decrypt button to begin decrypting your files. As you will be running the decryptor as an Administrator, you will receive a UAC prompt asking if you would like to continue. It is safe to click Yes at this prompt.

The decryptor will begin scanning the selected drives and will decrypt any encrypted files that are detected.

Decrypting Files
Decrypting Files

This process can take quite a long time, so please be patient while it scans your computer and decrypts the files.  To give you an idea of how long it may take, my test computer has very few files on it and it took over 30 minutes  For a computer that has many files, especially large ones, the process will take much longer.

When finished the decryptor will display summary page showing how many files have been decrypted. 

Decryption Complete
Decryption Complete

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted Wallet files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our Dharma Ransomware Help & Support Topic.

 

Known Wallet Email Addresses:

3048664056@qq.com
age_empires@aol.com
aligi@zakazaka.group
amagnus@india.com
amanda_sofost@india.com
braker@plague.life
breakdown@india.com
crann@india.com
crann@stopper.me
crannbest@foxmail.com
cryalex@india.com
Cryptime@india.com
crysis@indya.life
danger_rush@aol.com
dderek416@gmail.com
dderek@india.com
ded_pool@aol.com
denied@india.com
destroed_total@aol.com
diablo_diablo2@aol.com
donald_dak@aol.com
dropped@india.com
enterprise_lost@aol.com
fedor2@aol.com
fidel_romposo@aol.com
fire.show@aol.com
first_wolf@aol.com
flashprize@india.com
fly_goods@aol.com
gotham_mouse@aol.com
grand_car@aol.com
gutentag@india.com
HelpRobert@gmx.com
ice_snow@aol.com
info@kraken.cc
injury@india.com
interlock@india.com
joker_lucker@aol.com
kuprin@india.com
last_centurion@aol.com
lavandos@dr.com
legionfromheaven@india.com
m.reptile@aol.com
m.subzero@aol.com
makedonskiy@india.com
mandanos@foxmail.com
matacas@foxmail.com
mission_inposible@aol.com
mission_inpossible@aol.com
mk.baraka@aol.com
mk.cyrax@aol.com
mk.goro@aol.com
mk.jax@aol.com
mk.johnny@aol.com
mk.kabal@aol.com
mk.kitana@aol.com
mk.liukang@aol.com
mk.noobsaibot@aol.com
mk.raiden@aol.com
mk.rain@aol.com
mk.scorpion@aol.com
mk.sektor@aol.com
mk.sharik@aol.com
mk.smoke@aol.com
mk.sonyablade@aol.com
mk.stryker@aol.com
mkgoro@india.com
mkjohnny@india.com
MKKitana@india.com
Mkliukang@india.com
mknoobsaibot@india.com
mkscorpion@india.com
MKSmoke@india.com
mksubzero@india.com
moneymaker2@india.com
nicecrypt@india.com
nomascus@india.com
nort_dog@aol.com
nort_folk@aol.com
obamausa7@aol.com
p_pant@aol.com
reserve-mk.kabal@india.com
sammer_winter@aol.com
shamudin@india.com
sman@india.com
smartsupport@india.com
spacelocker@post.com
space_rangers@aol.com
ssama@india.com
stopper@india.com
supermagnet@india.com
support_files@india.com
tanksfast@aol.com
terrabyte8@india.com
total_zero@aol.com
versus@india.com
walmanager@qq.com
warlokold@aol.com
war_lost@aol.com
webmafia@asia.com
webmafia@india.com
xmen_xmen@aol.com
zaloha@india.com