CrySiS Reborn, Not Decryptable: [].wallet


Break-fix call on a CrySiS Ransomware infection.  It’s actually not CrySiS, but a fork of it, which is not decryptable at this time.  CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files.  Not so much with this variant.

After infection, it drops a JPEG file in the user’s folder C:UsersVictimINFORMATION HOoW TO DECRYYPT FILES.jpg.

It encrypts files and renames them with .[].wallet


It drops a file on the desktop named STOPPER.txt:

All your filess are encrypted!
To decrypt your files, please contact us by

The method of infection was from unauthorized access (brute-force) RDP connection.

It also drops AnonCrpt.exe on the desktop, 274KB file size;  A quick analysis from VirusTotal shows the results below:

VirusTotal detection results from AnonCrpt.exe

As mentioned earlier, there is not a way to decrypt this currently.

Stay safe.