This morning a newly registered member posted the master decryption keys for the Wallet Ransomware in the BleepingComputer.com forums. This post was created at 9:13 AM EST by a member named lightsentinelone in the Dharma Ransomware Support Topic and contained a Pastebin link.

BleepingComputer.com post about Wallet Keys being Released

This Pastebin post contains a C header file that includes 198 decryption keys that have been confirmed to valid and have been used by security researchers to create a Wallet Ransomware decryptor.

This ransomware is fairly wide spread as you can see below, so you can imagine that with the release of this decryptor, many of the victims have happily posted that the decryptor has recovered their files.

Dharma Heat Map. Source: https://id-ransomware.malwarehunterteam.com/

With this said, if you ever get infected with ransomware and have no intention of paying, always be sure to store your encrypted files in a safe place in the event a decryptor is released in the future.

If anyone needs help using this decryptor or runs into a problem, please let us known in the dedicated Dharma Ransomware Help & Support Topic.

Update 5/19/17: Kaspersky has also released an updated RakhniDecryptor that can decrypt Wallet ransomware encrypted files.

Why did the Wallet Ransomware Developers Release The Decryption Keys?

The Crysis family of ransomware, which Wallet is part of, have made it a habit of releasing the master decryption keys for previous variants when they switch to a new extension. For example, on November 14, 2016 the Crysis master decryption keys were released on BC, on March 1st, 2017 the Dharma keys were released on BC, and now today we have the Wallet keys being released.

As this ransomware family recently switched to using the .onion extension, it is not surprising that we are seeing the keys for the previous version released.

While this shows a pattern that the ransomware developers use, it does not explain why they are releasing the keys. It could be that they do it out of good will and because by this point, anyone who was going to pay the ransomware, would have paid already. Therefore, it does not hurt their bottom line to release the keys and only makes them look better to those who were affected.

Hopefully this behavior will be emulated by other ransomware developers who may be willing to release keys for older versions that they will no longer generate revenue from.

How to Decrypt Wallet, and maybe Onion, Encrypted Files Using the Avast Decryption Tool for Crysis

Update 5/20/17: Looks like the master decryption keys that were released also decrypt some of those who are infected with the .onion variant. Therefore, if you have files encrypted that contain the .onion extension, you should try to use this decryptor as it may work on your files.

Victims of the Wallet ransomware can be identified by their files being encrypted and renamed to the format of [filename].[email].wallet. For example, a recent variant would have a file named test.jpg renamed and encrypted as test.jpg.[destroed_total@aol.com].wallet.

You can see an example of a folder of encrypted files below:

Wallet Encrypted Files

I have also included a full list of email address thanks to Michael Gillespie of ID-Ransomware at the end of this article.

To decrypt files encrypted by the Wallet ransomware, you need to first download Avast's Crysis Decryptor from here: http://files.avast.com/files/decryptor/avast_decryptor_crysis.exe.

Once downloaded, double-click on the program and the main screen will be displayed.

Avast Decryption Tool for Crysis

Before starting, you need to make sure that you are using version 1.0.103.0, which supports the keys released today for the Wallet ransomware. To check the version of the decryption tool, you can look in the title bar of the program as seen in the image above. If you are using the correct version, click on the Next button to continue.

You will now be at a screen asking you to add any drives that you wish to scan for encrypted files and to decrypt.

Select Drives Screen

At the above screen add any drives that may not be already selected and then click on the Next button.

You will now be at a screen where you can select various options as to how the decryptor will function.

Decryption Options Screen

Leave both options checked and click on the Decrypt button to begin decrypting your files. As you will be running the decryptor as an Administrator, you will receive a UAC prompt asking if you would like to continue. It is safe to click Yes at this prompt.

The decryptor will begin scanning the selected drives and will decrypt any encrypted files that are detected.

Decrypting Files

This process can take quite a long time, so please be patient while it scans your computer and decrypts the files. To give you an idea of how long it may take, my test computer has very few files on it and it took over 30 minutes For a computer that has many files, especially large ones, the process will take much longer.

When finished the decryptor will display summary page showing how many files have been decrypted.

Decryption Complete

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted Wallet files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our Dharma Ransomware Help & Support Topic.

Known Wallet Email Addresses: