- Jul 22, 2014
- 2,525
A new CryptoMix, or CryptFile2, variant was released that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are shield0@usa.com
admin@hoist.desi, and crysis@life.com.
This variant was discovered by independent security researcher R0bert R0senb0rg and later identified as CryptoMix by MalwareHunterTeam. I decided to take a look at the sample and take a deeper dive to see what has changed since the previous Revenge variant was released.
Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.
As a note, in this article I will be referring to this infection as the Wallet Ransomware as that will most likely be how the victim's will search for it. It is important to remember, though, that this ransomware is not a brand new infection, but rather just a new version of the CryptoMix ransomware family.
How the Wallet Ransomware Encrypts a Victim's Files
....
Note: Wallet will also scan unmapped network shares for files to encrypt. Therefore, be sure to lock down your network by securing network shares so only those that need to can write to the shares.
...
admin@hoist.desi, and crysis@life.com.
This variant was discovered by independent security researcher R0bert R0senb0rg and later identified as CryptoMix by MalwareHunterTeam. I decided to take a look at the sample and take a deeper dive to see what has changed since the previous Revenge variant was released.
Unfortunately, at this time there is no way to decrypt files encrypted by this Wallet for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic.
As a note, in this article I will be referring to this infection as the Wallet Ransomware as that will most likely be how the victim's will search for it. It is important to remember, though, that this ransomware is not a brand new infection, but rather just a new version of the CryptoMix ransomware family.
How the Wallet Ransomware Encrypts a Victim's Files
....
Note: Wallet will also scan unmapped network shares for files to encrypt. Therefore, be sure to lock down your network by securing network shares so only those that need to can write to the shares.
...