.INFOWAIT Files Virus – How to Remove It and Restore Files
Threat Summary
Name | .INFOWAIT Files Virus |
Type | Ransomware, Cryptovirus |
Short Description | Encrypts files on your PC and then asks for ransom to be paid to get them to work again. |
Symptoms | .INFOWAIT ransomware encrypts your files via AES and RSA ciphers and then adds the .INFOWAIT extension and the !readme.txt ransom note. |
Distribution Method | Spam Emails, Email Attachments, Executable files |
Detection Tool | See If Your System Has Been Affected by .INFOWAIT Files Virus
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss .INFOWAIT Files Virus. |
Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
.INFOWAIT Ransomware – Infection Methods
The .INFOWAIT variant of .STOP ransomware may spread via different methods. One of them is via a dropper which executes a malicious script that is spread online and this is how researchers may have discovered it. If this script or file lands on your PC via a web link or a malicious redirect, chances are your PC becomes infected immediately.
In addition to this, the .INFOWAIT version of STOP ransomware may also be spreading via malicious e-mails. These types of e-mails are often sent as e-mails that are from important companies, like PayPal, eBay, Amazon and others. The e-mails contain the virus as a malicious e-mail attachment, the main goal of which is to trick victims that it is an important document, like an invoice or some other type of receipt or a banking letter.
.INFOWAIT Files Virus – More Information
As soon as the .INFOWAIT ransomware virus has infected your computer, the rasnomware immediately may drop it’s payload files. They may be located in the following Windows directories:
- %AppData%
- %Local%
- %LocalLow%
- %Roaming%
- %Temp%
In addition to this, the .INFOWAIT files virus may also create various different types of registry entries in Windows, the main idea of which is to run the payload automatically. The targeted keys in the Windows Regstry for this to happen are usually the following:
→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop
In addition to this, the .INFOWAIT ransomware also drops the ransom note, called !readme.txt on the victmized comptuers to let victims know what is going on:
Text from Image:
Your databases, files, photos, documents and other important files are encrypted and have the extension: .INFOWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2chnzj9ovn5qu2MnNMK4j3quuXBKo4h©bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $290 if you contact us first 72 hours.
E-mail address to contact us:
BM-2chnzj9ovn5qu2MerK4j3quuXBKo4h©bitmessage.ch
Reserve e-mail address to contact us:
savefiles©india.com
Your personal id: {ID HERE}
But this is not all. The .INFOWAIT files virus may also delete the shadow copies and backed up files on your PC and the outcome of that may be that you could be unable to restore files via Windows Backup. The virus may do this by executing the folliwing commands in Windows Command Prompt:
→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
.INFOWAIT Ransomware – Encryption Process
To encrypt files on your computer, the virus uses the AES and RSA 1024-bit encryption algorithms in combination. This process makes decryption very difficult, unless you know the master decryption keys if there are such left behind by the crooks or unless there is a bug in the ransomware virus.
To encrypt files, the .INFOWAIT ransomware virus may first detect the most widely used of them – documents, images, videos, backed up files, banking documents and other types of files.
The .INFOWAIT files virus may scan for the files based on their file extensions, for example:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
After this is done, the virus encrypts the files so that they become no longer useful and they begin to appear like the following:
Remove .INFOWAIT STOP Ransomware and Restore Files
Before removing this ransomware virus, we advise you to first backup all your data, even though it is encrypted, since you risk loosing it permanently.
For the manual or automatic removal of .INFOWAIT ransomware, we suggest that you follow the removal instructions underneath this article. They have been made with the main idea to help you remove this virus based on what you know about it and how much experience you have for the removal. Be advised that for maximum effectiveness, security researchers advise removing the .INFOWAIT ransomware virus automatically with the aid of specific anti-malware software. Such tool is fit for the purpose it serves, since it aims to scan your PC and delete all the ransomware’s related files and objects and make sure that the risk of infection on your PC is minimal in the future.
If you want to try and restore files, encrypted by the .INFOWAIT files virus, we strongly suggest that you attempt using the alternative methods for file recovery we have stated below. They have been created with the main idea to best assist you in restoring as many files as possible, but they come with no guarantee to work at a 100%.
Thanks for sharing a comprehensible threat summary of .infowait virus and straightforward steps for its removal and restoration of files. Please update about the newly introduced French101 ransomware.
ReplyDelete