[ Wallet Ransomware ]

[Virus/Malware Activity Reported: Wallet Ransomware]

We are aware of a security breach suspected to be a form of Wallet ransomware.
We would like to provide the following information and warning regarding the situation.

Wallet ransomware

The ransomware is called Wallet and it appears to be changing all files with the filename.extension.[xmen_xmen@aol.com].wallet.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• The Wallet malware is a ransomware developed in C++. Its internal code is obfuscated to make analysis difficult. Upon initial execution, the program copies its executable file to the system folder, then re-executes the copied file and terminates the original process. After completing this process, it registers itself in the Windows startup registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun), ensuring that the ransomware infection note continues to run even after a system reboot.

  
  [Figure 3: Copied executable file and startup program registration registry]

Infection results

After encryption is complete, a guide file is created in the system32 folder with the name mshta.exe, and each encrypted file is changed to < file name. extension. [xmen_xmen@aol.com]. wallet >.

[Figure 4 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomwares malicious actions and blocking.

[Figure 5 White Defender Response]

Watch the Wallet Blocking Video