Table of Contents
Over the past few weeks, numerous computer users have been reporting ransomware attacks where files are encrypted and appended with the .wallet extension.
The concatenation of certain strings to filenames is one of the most explicit symptoms of a crypto ransomware compromise. This tactic is used to flag data entries that the troublemaking software holds hostage. Although this is an annoying encounter, it’s merely a concomitant effect. The inaccessibility of one’s personal information poses a much more serious predicament. Nonetheless, these extensions are like fingerprints and can shed light on the specific ransomware sample a user is confronted with. By knowing the strain, it may be possible to find a data restoration workaround. The .wallet extension, for instance, denotes the so-called Dharma ransomware family. Having encoded a victim’s files, this offending code variant adds the .[email_address].wallet string to each one. For instance, a document named Manual.pdf will assume a shape like Manual.pdf.[[email protected]].wallet.
There are several other extensions in Dharma’s arsenal, including .zzzzz and .dharma proper. The .wallet suffix, however, is the most widespread one at this point. The list of email addresses prepended to this extension is fairly broad as well. It includes [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected]. The explanation of this is simple: there are multiple concurrent campaigns of Dharma ransomware distribution. Therefore, different cybercriminal groups indicate their contact details right in the crooked filenames. Keep in mind that no matter how illegal this business model is, it poses a huge darknet economy with its own affiliates, merchants, intermediaries and other interested parties.
The payload of the .wallet file virus mostly camouflages itself as an eye-catching email attachment, such as an invoice, job offer, banking fraud alert or ISP complaint. In other words, the fraudsters try to social-engineer users into opening the rogue email attachments. As soon as a targeted person opens one of these attached documents, the built-in JavaScript or VBA script instantly sets off the infection chain. Then, the ransomware determines what is to be encrypted on the computer’s hard disk and network shares. To this end, it scans all of these directories for popular formats of data.
The email address included in the affixed file attachments isn’t the only way to find out how to reach the adversary. The .wallet ransomware reiterates this information in the Readme.txt ransom notes, which are implanted into every folder with encrypted data. A copy will appear on the desktop as well. These notes with the decryption walkthrough are rather concise, only telling the victim that they got attacked and providing the email address to contact the hackers. Despite the fact that users can negotiate the size of the ransom, it normally won’t be lower than 1 Bitcoin. Instead of paying up and supporting the online extortion frenzy, first try the methods highlighted below.
Automatic removal of the .wallet file virus
When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.
1. Download and install the cleaning tool and click the Start Computer Scan button Download Dharma removal tool
2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get Dharma automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.
Recover .wallet files ciphered by the Dharma ransomware
Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.
Option 1: BackupsThe cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.
Option 2: Recovery toolsThe research of Dharma virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.
Option 3: Shadow CopiesThe Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.
You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.
-
Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
-
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.
Did the problem go away? Check and see
Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.