Remove IFN643 Virus and Restore .ifn643 Files - How to, Technology and PC Security Forum |

Remove IFN643 Virus and Restore .ifn643 Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


IFN643 is the name of a newly-found ransomware virus. This virus encrypts your files by placing the .ifn643 extension to them. After the encryption process is finished, it will put a file named “IFN643_Malware_Readme”. That file contains the ransom demand, which is for 1000 US dollars to be sent to a Bitcoin address. To see how to remove this ransomware and how you can try to restore your data, read the whole article.

Threat Summary

NameIFN643 Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then shows a ransom message with instructions.
SymptomsYour files become inaccessible. The .ifn643 extension will be appended to them after encryption.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by IFN643 Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss IFN643 Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

IFN643 Ransomware – Spread

The IFN643 ransomware could spread and reach your computer machine by using a few different methods. Spam email campaigns are likely among the top distributors of its payload file. E-mails which are set as spam are designed to make you think that the message you have received with the letter is of great importance and the file attached to it will bring you to some conclusion. Upon opening the attached file, your computer will become infected with the malicious code contained inside. The payload could be executed from an executable file, much like the example given below in the VirusTotal website. One such file is named spoolpdf.exe


Various ways for the spread of the infection of the IFN643 virus exist as well. For instance, the makers of the ransomware might be delivering the payload file through file-share and social media networks. That payload might be hidden as a useful program or file around such platforms for the purpose of infecting more users. You should not open files, if they originate from suspicious places, such as unknown emails and links. Before opening, you should always scan them first with security software and check their size and signatures. You should give the tips for preventing ransomware thread on our forum a read.

IFN643 Ransomware – Description

A new ransomware cryptovirus has been found recently, and it goes by the name of IFN643. The malware researcher from G-data, Karsten Hahn has discovered a malware sample in the wild. The ransomware can launch from from a .pdb file. It encrypts your files and puts an extension of the same name to them. A ransom note appears as a lock screen.

After the IFN643 ransomware executes its payload, it could make entries in the Windows Registry for being more resilient. The registry entries are designed to make this virus start automatically with the booting of the Windows operating system. Next, your files get encrypted, and then the ransom note is displayed on your desktop. The ransom note is in a file called IFN643_Malware_Readme.txt.

You can view the ransom note from the snippet below:


The ransom text reads the following:

Your most critical files have been encrypted :)

Send $1000 in Bitcoin to udKNOr3FVaibcNY9ygVhygNfdKIojmVA93A if you need them back.

The ransom note seems short – the price asked is 1000 US dollars. The address given for payment seems off. Do NOT even think of paying the demanded ransom. Nobody can guarantee that by paying you will recover your files. Besides, the criminals will use the money to fund a new ransomware project or other criminal activity.

Currently, a full list of file extensions which the ransomware seeks to lock is not available, but the few ones written below are certainly encrypted:

.doc, .docm, .docx, .ppt, .pps, .pptx, .xls, .xlsx, .jpg, .png, .txt, .rtf, .odt, .psd

Each of the encrypted files will have the .ifn643 extension appended to them, after their original names. The encryption process utilizes the well-known AES encryption algorithm. The ransomware has the same name as the extension it puts to locked files.

The IFN643 ransomware is highly likely to erase the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Keep on reading to see what kinds of methods you can try to possibly restore your files.

Remove IFN643 Virus and Restore .ifn643 Files

If your computer got infected with the IFN643 ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by IFN643 Virus.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share