Ready to Start Your Career?

Dharma Ransomware Virus: The .wallet Extension

David Balaban's profile image

By: David Balaban

March 5, 2017


In late 2016, threat actors behind the CrySiS ransomware decided to give up their campaign for some reason. They made the master decryption keys public so that everybody infected could get their data back. It seemed at that point that the group of crooks gave up the nasty extortion business. However, this anticipation never materialized. The same felons launched another campaign shortly. The file-scrambling successor called Dharma ( started infecting Windows computers on a large scale.

While using the same perpetrating code, this pest manifests itself differently. Having locked down one’s important data entries, its latest edition appends the .wallet string to filenames. This suffix is preceded by the attackers’ email address in square brackets. For instance, a Word file called Test.docx will look like this: Test.docx.[].wallet. The email address in this pattern will vary depending on the sub-campaign run by the cyber criminals. Some of the widespread ones include,, and

The .wallet file virus reaches PCs via spam. The ne’er-do-wells in charge are leveraging a botnet to generate big volumes of rogue emails that impersonate Internet service providers, government organizations, e-commerce companies or business partners. The files attached to these messages contain a stealth VBS script that fires the ransomware payload as soon as the recipient opens the attachment.

After contaminating a system, Dharma scans the hard disk and network drive for popular data types. Then, it will encrypt everything that was detected. To unencrypt these files, a victim is told to follow instructions in Readme.txt document that the ransomware leaves on the desktop. In the long run, the infected user is supposed to shoot an email to the appropriate address and get detailed recovery steps in response. The size of the ransom is somewhere around 1 Bitcoin or about 1,000 USD.

In order to prevent files from being encoded and appended with the .wallet extension, users should use reliable security software and never click on fishy-looking email attachments. Forensic methods of information recovery may help in these predicaments, but their efficiency depends on how deeply the virus has affected a workstation. 
Schedule Demo