Decrypt .wallet files and remove BTCWare ransomware


The .wallet file extension has been trending in cybercriminal circles for months. Crooks are fond of assigning their perpetrating code to smear encoded data using that string. The motivation is quite clear: extortion is all about money. Cryptocurrency, Bitcoin wallets – the logical trail leads to the extension under scrutiny. Several different ransomware strains are currently using this token to label what’s being held hostage. These include BTCWare, CrySiS/Dharma, CryptoMix, and the less widespread blackmail virus called Sanctions. Most recently, the culprit that got on the .wallet extension train is the above-mentioned BTCWare infection.

.wallet files encrypted by ransomware

This dangerous program leverages the following format of the file tail: .[attacker’s email]-id-[victim ID].wallet. In the upshot, a sample item named Lighthouse.jpg will assume a look similar to Lighthouse.jpg.[]-id-A4.wallet. Some other contact emails used by different extortionist groups include,,,,,, and These details in square brackets are an outright clue regarding the plagued person’s further action. The victim is instructed to send a message to the address indicated in the extension and include their personal ID in it. The threat actors will then get back to the user with concise steps on how big the ransom is and how to pay it.

BTCWare .wallet variant displays this HTA ransom note

The file extension itself isn’t the only way that the BTCWare ransom Trojan lets its preys know what’s going on and how to sort things out. It additionally drops files called ransom notes onto the contaminated machine. Their names may vary depending on the specific ransomware distribution campaign. The recent variants include “! FILES ENCRYPTED.txt” or “! How Decrypt Files.txt”. In addition to that, the blackmail malware invokes a command to run an HTA file that’s effectively an application and looks more user-friendly, or victim-friendly, to be accurate.

The way the .wallet ransomware infects computers depends on the criminal affiliate campaign behind a specific instance. The most common method revolves around malspam (malicious spam) spewed by a botnet, where targeted users unknowingly trigger the toxic payload by opening a trojanized email attachment. Another possible entry point is via RDP – online felons have been heavily abusing remote desktop services lately. In this scenario, the black hats literally hack a PC by guessing or brute-forcing RDP credentials. Yet another propagation vector involves exploit kits, in which case people get infected after visiting a compromised website.

Unfortunately, there is no 100% effective way to regain access to ransomed files at the time of this writing, although crypto masterminds have been busy trying to create a free decryptor. Under the circumstances, it’s recommended to try the alternative techniques below that are specially crafted for tackling ransomware scenarios.

.Wallet ransomware removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers, which represent another group of ransomware infections on the loose. The main challenge in regards to BTCWare/.wallet ransomware is getting personal files back without having to do what the extortionists want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Now you’ve got both some good and bad news. On the one hand, the .wallet ransomware is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Recover .wallet files using Shadow Copies

As it has been mentioned above, despite successful removal of the .wallet virus, the compromised files remain encrypted with the AES algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality


Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.

Restoring encrypted data with Shadow Explorer utility


Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but some ransomware strains do not encrypt one’s actual files. They delete them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Paretologic Data Recovery Pro to give this restoration vector a shot. By running a computer scan with Data Recovery Pro, you will get a list of all recoverable files and be able to reinstate them to their original location or another path of choice.

Bottom line

The .wallet crypto virus poses a critical risk to one’s personal information therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.


Please enter your comment!
Please enter your name here