Blog Feed Post

Decrypt .wallet files and remove BTCWare ransomware

The .wallet file extension has been trending in cybercriminal circles for months. Crooks are fond of assigning their perpetrating code to smear encoded data using that string. The motivation is quite clear: extortion is all about money. Cryptocurrency, Bitcoin wallets – the logical trail leads to the extension under scrutiny. Several different ransomware strains are currently using this token to label what’s being held hostage. These include BTCWare, CrySiS/Dharma, CryptoMix, and the less widespread blackmail virus called Sanctions. Most recently, the culprit that got on the .wallet extension train is the above-mentioned BTCWare infection.

.wallet files encrypted by ransomwarehttp://privacy-pc.com/wp-content/uploads/2017/12/wallet-files-encrypted-... 200w" sizes="(max-width: 300px) 100vw, 300px" />

This dangerous program leverages the following format of the file tail: .[attacker’s email]-id-[victim ID].wallet. In the upshot, a sample item named Lighthouse.jpg will assume a look similar to Lighthouse.jpg.[[email protected]]-id-A4.wallet. Some other contact emails used by different extortionist groups include [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected]. These details in square brackets are an outright clue regarding the plagued person’s further action. The victim is instructed to send a message to the address indicated in the extension and include their personal ID in it. The threat actors will then get back to the user with concise steps on how big the ransom is and how to pay it.

BTCWare .wallet variant displays this HTA ransom notehttp://privacy-pc.com/wp-content/uploads/2017/12/btcware-wallet-hta-rans... 200w, http://privacy-pc.com/wp-content/uploads/2017/12/btcware-wallet-hta-rans... 740w" sizes="(max-width: 540px) 100vw, 540px" />

The file extension itself isn’t the only way that the BTCWare ransom Trojan lets its preys know what’s going on and how to sort things out. It additionally drops files called ransom notes onto the contaminated machine. Their names may vary depending on the specific ransomware distribution campaign. The recent variants include “! FILES ENCRYPTED.txt” or “! How Decrypt Files.txt”. In addition to that, the blackmail malware invokes a command to run an HTA file that’s effectively an application and looks more user-friendly, or victim-friendly, to be accurate.

The way the .wallet ransomware infects computers depends on the criminal affiliate campaign behind a specific instance. The most common method revolves around malspam (malicious spam) spewed by a botnet, where targeted users unknowingly trigger the toxic payload by opening a trojanized email attachment. Another possible entry point is via RDP – online felons have been heavily abusing remote desktop services lately. In this scenario, the black hats literally hack a PC by guessing or brute-forcing RDP credentials. Yet another propagation vector involves exploit kits, in which case people get infected after visiting a compromised website.

Unfortunately, there is no 100% effective way to regain access to ransomed files at the time of this writing, although crypto masterminds have been busy trying to create a free decryptor. Under the circumstances, it’s recommended to try the alternative techniques below that are specially crafted for tackling ransomware scenarios.

.Wallet ransomware removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers, which represent another group of ransomware infections on the loose. The main challenge in regards to BTCWare/.wallet ransomware is getting personal files back without having to do what the extortionists want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

HitmanPro.Alert with CryptoGuard 1. Download and install HitmanPro.Alert with CryptoGuard

Supports: Windows XP (SP3), Vista, 7, 8, 8.1, 10

Download   Read Review

2. Open the program, click on the Scan computer button and wait for the scan to be completed
HitmanPro.Alert 3.5 with CryptoGuard: Scan Computerhttp://privacy-pc.com/wp-content/uploads/2016/07/hitmanpro-alert-scan-co... 200w" sizes="(max-width: 540px) 100vw, 540px" />

3. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button
HitmanPro.Alert 3.5 with CryptoGuard: Delete Threatshttp://privacy-pc.com/wp-content/uploads/2016/07/hitmanpro-alert-delete-... 200w" sizes="(max-width: 540px) 100vw, 540px" />

Now you’ve got both some good and bad news. On the one hand, the .wallet ransomware is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Recover .wallet files using Shadow Copies

As it has been mentioned above, despite successful removal of the .wallet virus, the compromised files remain encrypted with the AES algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality

Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
previous-versionshttp://privacy-pc.com/wp-content/uploads/2013/10/previous-versions-200x2... 200w" sizes="(max-width: 300px) 100vw, 300px" />In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.

Restoring encrypted data with Shadow Explorer utility

Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
shadow-explorerhttp://privacy-pc.com/wp-content/uploads/2013/10/shadow-explorer-200x150... 200w" sizes="(max-width: 540px) 100vw, 540px" />Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but some ransomware strains do not encrypt one’s actual files. They delete them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Paretologic Data Recovery Pro to give this restoration vector a shot. By running a computer scan with Data Recovery Pro, you will get a list of all recoverable files and be able to reinstate them to their original location or another path of choice.


Data Recovery Prohttp://privacy-pc.com/wp-content/uploads/2018/01/data-recovery-pro-200x1... 200w" sizes="(max-width: 540px) 100vw, 540px" />

Bottom line

The .wallet crypto virus poses a critical risk to one’s personal information therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.

Read the original blog entry...

More Stories By David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Latest Stories
This session will provide an introduction to Cloud driven quality and transformation and highlight the key features that comprise it. A perspective on the cloud transformation lifecycle, transformation levers, and transformation framework will be shared. At Cognizant, we have developed a transformation strategy to enable the migration of business critical workloads to cloud environments. The strategy encompasses a set of transformation levers across the cloud transformation lifecycle to enhance ...
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are repetitive and dull. Utilizing automation can improve your work life, automating away the drudgery and embracing the passion for technology that got you started in the first place. In this presentation, I'll talk about what automation is, and how to approach implementing it in the context of IT Operations. Ned will discuss keys to success in the long term and include practical real-world examples. Ge...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
So the dumpster is on fire. Again. The site's down. Your boss's face is an ever-deepening purple. And you begin debating whether you should join the #incident channel or call an ambulance to deal with his impending stroke. Yes, we know this is a developer's fault. There's plenty of time for blame later. Postmortems have a macabre name because they were once intended to be Viking-like funerals for someone's job. But we're civilized now. Sort of. So we call them post-incident reviews. Fires are ne...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
Hackers took three days to identify and exploit a known vulnerability in Equifax’s web applications. I will share new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production. This session aims to enlighten DevOps teams, security and development professionals by sharing results from the 4th annual State of the Software Supply Chain Report -- a blend of public and proprietary data with expert researc...
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Learning to one location.
DXWorldEXPO LLC announced today that Nutanix has been named "Platinum Sponsor" of CloudEXPO | DevOpsSUMMIT | DXWorldEXPO New York, which will take place November 12-13, 2018 in New York City. Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that power their business. The Nutanix Enterprise Cloud Platform blends web-scale engineering and consumer-grade design to natively converge server, storage, virtualization and networking into a resilient, softwar...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
The digital transformation is real! To adapt, IT professionals need to transform their own skillset to become more multi-dimensional by gaining both depth and breadth of a wide variety of knowledge and competencies. Historically, while IT has been built on a foundation of specialty (or "I" shaped) silos, the DevOps principle of "shifting left" is opening up opportunities for developers, operational staff, security and others to grow their skills portfolio, advance their careers and become "T"-sh...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of computational needs for many industries. Their solutions provide benefits across many environments, such as datacenter deployment, HPC, workstations, storage networks and standalone server installations. ICC has been in business for over 23 years and their phenomenal range of clients include multinational corporations, universities, and small busines...
This sixteen (16) hour course provides an introduction to DevOps, the cultural and professional movement that stresses communication, collaboration, integration and automation in order to improve the flow of work between software developers and IT operations professionals. Improved workflows will result in an improved ability to design, develop, deploy and operate software and services faster.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...