Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove IFN643 Virus and Restore .ifn643 Files

stf-ifn643-malware-readme-ransomware-virus-ransom-message-note

IFN643 is the name of a newly-found ransomware virus. This virus encrypts your files by placing the .ifn643 extension to them. After the encryption process is finished, it will put a file named “IFN643_Malware_Readme”. That file contains the ransom demand, which is for 1000 US dollars to be sent to a Bitcoin address. To see how to remove this ransomware and how you can try to restore your data, read the whole article.

Threat Summary

Name IFN643 Virus
Type Ransomware, Cryptovirus
Short Description The ransomware encrypts your data and then shows a ransom message with instructions.
Symptoms Your files become inaccessible. The .ifn643 extension will be appended to them after encryption.
Distribution Method Spam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by IFN643 Virus

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss IFN643 Virus.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

IFN643 Ransomware – Spread

The IFN643 ransomware could spread and reach your computer machine by using a few different methods. Spam email campaigns are likely among the top distributors of its payload file. E-mails which are set as spam are designed to make you think that the message you have received with the letter is of great importance and the file attached to it will bring you to some conclusion. Upon opening the attached file, your computer will become infected with the malicious code contained inside. The payload could be executed from an executable file, much like the example given below in the VirusTotal website. One such file is named spoolpdf.exe

stf-ifn643-ransomware-virus-total-detections-spoolpdf-exe

Various ways for the spread of the infection of the IFN643 virus exist as well. For instance, the makers of the ransomware might be delivering the payload file through file-share and social media networks. That payload might be hidden as a useful program or file around such platforms for the purpose of infecting more users. You should not open files, if they originate from suspicious places, such as unknown emails and links. Before opening, you should always scan them first with security software and check their size and signatures. You should give the tips for preventing ransomware thread on our forum a read.

IFN643 Ransomware – Description

A new ransomware cryptovirus has been found recently, and it goes by the name of IFN643. The malware researcher from G-data, Karsten Hahn has discovered a malware sample in the wild. The ransomware can launch from from a .pdb file. It encrypts your files and puts an extension of the same name to them. A ransom note appears as a lock screen.

After the IFN643 ransomware executes its payload, it could make entries in the Windows Registry for being more resilient. The registry entries are designed to make this virus start automatically with the booting of the Windows operating system. Next, your files get encrypted, and then the ransom note is displayed on your desktop. The ransom note is in a file called IFN643_Malware_Readme.txt.

You can view the ransom note from the snippet below:

stf-ifn643-malware-readme-ransomware-virus-ransom-message-note

The ransom text reads the following:

Your most critical files have been encrypted 🙂

Send $1000 in Bitcoin to udKNOr3FVaibcNY9ygVhygNfdKIojmVA93A if you need them back.

The ransom note seems short – the price asked is 1000 US dollars. The address given for payment seems off. Do NOT even think of paying the demanded ransom. Nobody can guarantee that by paying you will recover your files. Besides, the criminals will use the money to fund a new ransomware project or other criminal activity.

Currently, a full list of file extensions which the ransomware seeks to lock is not available, but the few ones written below are certainly encrypted:

.doc, .docm, .docx, .ppt, .pps, .pptx, .xls, .xlsx, .jpg, .png, .txt, .rtf, .odt, .psd

Each of the encrypted files will have the .ifn643 extension appended to them, after their original names. The encryption process utilizes the well-known AES encryption algorithm. The ransomware has the same name as the extension it puts to locked files.

The IFN643 ransomware is highly likely to erase the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Keep on reading to see what kinds of methods you can try to possibly restore your files.

Remove IFN643 Virus and Restore .ifn643 Files

If your computer got infected with the IFN643 ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by IFN643 Virus.

Manually delete IFN643 Virus from your computer

Note! Substantial notification about the IFN643 Virus threat: Manual removal of IFN643 Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove IFN643 Virus files and objects
2.Find malicious files created by IFN643 Virus on your PC

Automatically remove IFN643 Virus by downloading an advanced anti-malware program

1. Remove IFN643 Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by IFN643 Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.