.INFOWAIT Files Virus – How to Remove It and Restore Files
THREAT REMOVAL

.INFOWAIT Files Virus – How to Remove It and Restore Files

This article has been created to help explain what is the .INFOWAIT files virus and how you can remove it from your PC plus how you can restore files, encrypted by this virus.

A new variant of

STOP ransomware has been detected to infect victim PCs. The virus has the one and only goal to encrypt the files on it’s victims computers and then append the .INFOWAIT file extension to them, shortly after drop it’s extortion note, where it asks or $290 to be paid in 72 hours in cryptocurrencies. If your PC has been infected by this variant of STOP ransomware, we advise you to read this article thoroughly as it will help you to try and remove the .INFOWAIT files virus from your PC and contains more methods via which you can try and recover encrypted files.

Threat Summary

Name.INFOWAIT Files Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts files on your PC and then asks for ransom to be paid to get them to work again.
Symptoms.INFOWAIT ransomware encrypts your files via AES and RSA ciphers and then adds the .INFOWAIT extension and the !readme.txt ransom note.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .INFOWAIT Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .INFOWAIT Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.INFOWAIT Ransomware – Update December 2018

With decryption tool released for other

STOP Ransomware variants, we were hoping that other versions of the virus will also be decrypted. Unfortunately, the decryptor only works for the .puma, .pumax and .pumas variants of the virus. But this may mean that more versions of this virus may be decrypted soon, so if you are affected, please keep your ransom note and the encrypted files and follow social media as well as this page since we will update if a decryption tool is released.

.INFOWAIT Ransomware – Infection Methods

The .INFOWAIT variant of .STOP ransomware may spread via different methods. One of them is via a dropper which executes a malicious script that is spread online and this is how researchers may have discovered it. If this script or file lands on your PC via a web link or a malicious redirect, chances are your PC becomes infected immediately.

In addition to this, the .INFOWAIT version of STOP ransomware may also be spreading via malicious e-mails. These types of e-mails are often sent as e-mails that are from important companies, like PayPal, eBay, Amazon and others. The e-mails contain the virus as a malicious e-mail attachment, the main goal of which is to trick victims that it is an important document, like an invoice or some other type of receipt or a banking letter.

.INFOWAIT Files Virus – More Information

As soon as the .INFOWAIT ransomware virus has infected your computer, the rasnomware immediately may drop it’s payload files. They may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

In addition to this, the .INFOWAIT files virus may also create various different types of registry entries in Windows, the main idea of which is to run the payload automatically. The targeted keys in the Windows Regstry for this to happen are usually the following:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

In addition to this, the .INFOWAIT ransomware also drops the ransom note, called !readme.txt on the victmized comptuers to let victims know what is going on:

Text from Image:

Your databases, files, photos, documents and other important files are encrypted and have the extension: .INFOWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2chnzj9ovn5qu2MnNMK4j3quuXBKo4h©bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $290 if you contact us first 72 hours.
E-mail address to contact us:
BM-2chnzj9ovn5qu2MerK4j3quuXBKo4h©bitmessage.ch
Reserve e-mail address to contact us:
savefiles©india.com
Your personal id: {ID HERE}

But this is not all. The .INFOWAIT files virus may also delete the shadow copies and backed up files on your PC and the outcome of that may be that you could be unable to restore files via Windows Backup. The virus may do this by executing the folliwing commands in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.INFOWAIT Ransomware – Encryption Process

To encrypt files on your computer, the virus uses the AES and RSA 1024-bit encryption algorithms in combination. This process makes decryption very difficult, unless you know the master decryption keys if there are such left behind by the crooks or unless there is a bug in the ransomware virus.

To encrypt files, the .INFOWAIT ransomware virus may first detect the most widely used of them – documents, images, videos, backed up files, banking documents and other types of files.

The .INFOWAIT files virus may scan for the files based on their file extensions, for example:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After this is done, the virus encrypts the files so that they become no longer useful and they begin to appear like the following:

Remove .INFOWAIT STOP Ransomware and Restore Files

Before removing this ransomware virus, we advise you to first backup all your data, even though it is encrypted, since you risk loosing it permanently.

For the manual or automatic removal of .INFOWAIT ransomware, we suggest that you follow the removal instructions underneath this article. They have been made with the main idea to help you remove this virus based on what you know about it and how much experience you have for the removal. Be advised that for maximum effectiveness, security researchers advise removing the .INFOWAIT ransomware virus automatically with the aid of specific anti-malware software. Such tool is fit for the purpose it serves, since it aims to scan your PC and delete all the ransomware’s related files and objects and make sure that the risk of infection on your PC is minimal in the future.

If you want to try and restore files, encrypted by the .INFOWAIT files virus, we strongly suggest that you attempt using the alternative methods for file recovery we have stated below. They have been created with the main idea to best assist you in restoring as many files as possible, but they come with no guarantee to work at a 100%.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...