.INCANTO File Virus – Removal and Recovery

.INCANTO File Virus – Removal and Recovery

.INCANTO file virus ransomware encrypted file sensorstechforum

The malicious file extension .INCANTO is associated with a new data locker ransomware of undetermined family. Ransomware is a type of malware that penetrates the PC to take control over the system and corrupt valuable data stored on it. Then it drops a file named !!!GetBackData!!!.txt which holds the ransom note. The message blackmails victims to pay a ransom in Bitcoins for .INCANTO files recovery.

This article has the goal to provide support for the .INCANTO file virus removal process and reveal more information about its adverse impact on the infected computer.

Threat Summary

Name.INCANTO file virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer. Demands ransom payoff in BitCoin. The ransom varies.
SymptomsThe files are encrypted with the .INCANTO file extension added to them. The virus drops a ransom note, named !!!GetBackData!!!.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .INCANTO file virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .INCANTO file virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.INCANTO File Virus – Delivery

There are many attack vectors and different techniques used for ransomware delivery. Generally cyber criminals choose spam email messages that impersonate legitimate organizations and institutions. This technique is preferred as users are more prone to follow the instructions in the email and download the ransomware payload on their systems. The payload is usually hidden in an attachment – document with embedded malicious macros, archive file, JavaScript, PDF that may be named invoice, payment reference, report, etc. Once an infected file is opened on the PC the ransomware starts to infect the system. Another way of ransomware distribution that is used often is a web link that redirect to corrupted website that is set to download the payload automatically on the computer and triggers the attack. Except spam emails such links may be posted on social media networks or used for malvertising.

.INCANTO File Virus – Overview

This new ransomware is named after the specific file extension it uses for encrypted files – .INCANTO. The threat can be triggered by an executable file that controls all subsequent impacts. In order to fulfill the attack, .INCANTO crypto virus is considered to create or drop additional malicious files. They may be situated in some of the stated Windows folders below:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %UserProfile%

Being a typical ransomware .INCANTO virus is believed to access Windows Registry targeting the Run and RunOnce keys. All it needs to do to ensure its stable presence on the computer is adding specific values in the mentioned registry keys. These keys enable the automatic execution of ransomware payload each time the Windows is started. They can be also used at the end of the attack when the ransom message should be noticed by the victim. The ransom note is a text file called !!!GetBackData!!! that reads the following:

All your important files were encrypted on this PC.

All files with .INCANTO extension are encrypted.

Encryption was produced using unique private key RSA-1024 generated for this computer.

To decrypt your files, you need to obtain private key + decrypt software.

The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.

To retrieve the private key, you need to contact us by email incantofiles@bitmessage.ch send us an email your !!!GetBackData!!!.txt file and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-2 not very big encrypted files and we will send you back it in a decrypted form free.

To send files you can use http://dropmefiles.com/

Your personal id:


E-mail address to contact us:


Reserve email address to contact us:


!!!GetBackData!!!.txt ransom note .INCANTO virus ransomware sensrstechforum

Contact, negotiations and payments should be restricted as security researchers are still investigating the ransomware samples. Hopefully, they will crack its code and release a freely available decryption tool.

Another damage caused by .INCANTO file virus is preventing one of the possible recovery options. This is possible once it accesses the Command Prompt and writes the command:

→ vssadmin.exe delete shadows /all /quiet

.INCANTO File Virus – Encryption

For the encryption .INCANTO crypto virus is believed to use the RSA cipher algorithm that transforms the original code of target files making them completely unworkable. It is likely to attempt to corrupt different frequently used files like: documents, archives, databases, backups, text files, configuration files, music, photos, videos and etc. All encrypted files receive the extension .INCANTO at the end of their names and remain unusable. They can be decrypted with the unique decryption key possessed by crooks. However, it is better to try all you can do by yourself to recover .INCANTO files. The good news is that there are alternative data recovery solutions that appear to be efficient in many similar cases. Check the step “Restore files encrypted by .INCANTO Ransomware” in the guide below.

.INCANTO file virus ransomware encrypted file sensorstechforum

Remove .INCANTO File Virus and Restore Data

To completely get rid of the .INCANTO file virus, carefully follow the step-by-step removal instructions provided below. After ransomware removal follows the data recovery step.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share