Wallet Ransomware Removal Guide

When we talk about Wallet Ransomware, we can mean at least several ransomware infections that are currently known in the wild. The reason there are several programs under the same name is that the title is rather generic, and so are the programs themselves. Consequently, it is rather complicated to remove Wallet Ransomware from your computer manually because different variations of this program may drop their files in different directories. Hence, it is always a good idea to invest in a security tool that would terminate these dangerous threats for you automatically. Not to mention that your computer would be protected against other intruders, too.

According to our research, all different versions of this program are more or less based on a similar pattern. The programs come with an email address that has a randomly-generated name, and the domain is usually @india.com or @asia.com. This means that these programs were either created by the same developers or based on the same engine. The latter is more likely because during our tests we have found that our copy of Wallet Ransomware was based on the CrySIS Ransomware engine. It is rather common to use a base of a well-known infection for a number of custom programs.

Likewise, Wallet Ransomware makes use of the most common ransomware distribution method to enter target systems. It usually spreads via spam email attachments, which means that users download and install these malicious programs themselves. Of course, no one is aware of that when it happens, and users are taken by surprise when the infection ends up encrypting their files. This program uses the RSA-2048 encryption method, so it is virtually impossible to decrypt the affected data without the original decryption key. The people behind this infection expect you to pay for this key, as it is indicated in the ransom note:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail mk.liukang@aol.com or reserve – Mkliukang@india.com

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

It is highly unfortunate that quite a few users end up paying for this decryption tool that might not even work. What’s more, no public decryption tool is available at the moment, so the best way to restore your files is to rely on a system backup, assuming you have one. Users often keep a lot of their files in their inbox without realizing it. Also, perhaps you have an external hard drive with most of your files. You can copy and paste all of your files back once Wallet Ransomware is removed from your system for good. It is not a good idea to transfer healthy files while the ransomware is still there in your system because the encryption may occur again.

You can follow the removal instructions below to get rid of Wallet Ransomware, but please remember that the .exe file might have a random name, and it could be placed in various directories across your system. Thus, if you want to ensure that the removal is complete, do not hesitate to invest in a licensed antispyware tool.

How to Remove Wallet Ransomware

1. Press Win+R and type %AppData%. Click OK.
2. Go to Microsoft\Windows\Start Menu\Programs\Startup.
3. Delete an EXE file with a random filename.
4. Press Win+R and type %WINDIR%. Click OK.
5. Open the Syswow64 folder and delete the same EXE file.
6. Go the System32 folder in the same directory.
7. Delete the EXE file with the random name. Press Win+R again.
8. Go to HKEY_CURRENT_USER\Control Panel\Desktop.
9. On the right-pane, right-click the Wallpaper value and edit it. Click OK.
10. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
11. On the right side, right-click the BackgroundHistoryPath0 value. Modify it and click OK.
12. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
13. On the right-side, right-click and modify the following values:
    %WINDIR%\Syswow64\[random name].exe
    %WINDIR%\System32\[random name].exe