IEncrypt Ransomware

Posted by Lisa Blanc on February 18, 2019

What is IEncrypt Ransomware?

IEncrypt Ransomware is a very unpredictable infection, in a sense that we cannot associate any specific email addresses, names, or even encrypted files’ extensions to it. This threat is ever-changing, and it appears to be adjusted to target specific companies. For example, in the past, we saw it taking over the files of the Krauss-Maffei company, and when files were encrypted, the “.kraussmfz” ransomware file extension was added. In the latest attack, it has targeted the CMS Nextech company, and it also added the “.cmsnwned” extension to the files it corrupted. In this report, we take the latest attack as an example, but keep in mind that the infection could be modified to attack a different target entirely. Although it appears that the infection is going after big companies, we cannot guarantee that it will not attack individual Windows users too. In any situation, if you continue reading, you will learn how to secure your system, as well as how to remove IEncrypt Ransomware from your Windows operating system.test

How does IEncrypt Ransomware work?

According to Anti-Spyware-101.com researchers, IEncrypt Ransomware is tailored to the target, but it appears that this infection is spread in the usual ways. Spam email attachments, malicious downloaders, and unsafe RDP configurations could be used to drop the infection successfully. Once the threat is executed, it can drop malicious files anywhere on the computer, and that is what might prevent victims from finding and removing the infection in time. Needless to say, if it is not removed right away, the infection is meant to start encrypting files. It should encrypt everything in its way; however, it should exclude system files. For example, files in the %WINDIR% directory. As mentioned already, the sample we tested most recently was targeted at the systems of CMS Nextech, a company that develops a custom–tailored maintenance and energy savings program. It is unclear why exactly the threat decided to hit this particular company, but it looks like it might be looking for any company with a vulnerable network. In this case, IEncrypt Ransomware created a point of execution while impersonating legitimate files (e.g., %WINDIR%\System32\Locator.exe, %WINDIR%\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe, or %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe). It also employed the Virtual Disk Service (%WINDIR%\System32\vds.exe).

After files were encrypted, IEncrypt Ransomware created “original_filename.cmsnwned_readme,” a text file that can be opened using Notepad. The message addresses the company by its name and informs that the “network was hacked and encrypted,” and then instructs to email mary.weston@protonmail.com or beryl.mclennan@tutanota.de to receive more information. If you contact cyber criminals, they should provide you with instructions on how to pay a ransom in return for the corrupted files. Do not fall for this trick. If you pay the ransom, you are likely to be left hanging high and dry, and we are sure you want to avoid that, don’t you? If your company’s systems were affected, you need to call in the security experts, who might be able to help you with the restoration of files. Unfortunately, there is also a possibility that you might not be able to recover files. If you have backups, of course, that is not a big problem. Just delete IEncrypt Ransomware and the encrypted files, restore your systems’ protection, and transfer copies back onto the computers if you need that. It is most important, of course, that you delete the infection.

How to remove IEncrypt Ransomware

Deleting IEncrypt Ransomware is not an easy task because this threat impersonates legitimate files. Also, its launcher could be anywhere. If you are an expert user, check out the guide below for the basic steps that need to be completed to ensure that the threat is eliminated. If you are not experienced, and you cannot distinguish between legitimate and malicious files, we recommend implementing anti-malware software. It will easily discover and remove IEncrypt Ransomware automatically. If other threats are active, they will be eliminated too. Furthermore, you will not need to worry about the protection of your operating system. That being said, even if you secure your system, you also need to make sure that your files are backed up and that you understand how to be more careful. It is most important that you keep the system updated, do not open random emails, links, and files, and are very mindful when downloading new software.

Removal Instructions

  1. Delete the [unknown name].exe file that launched the threat.
  2. Search Windows Services for suspicious files and Deletethem. A few locations to check:
    • %WINDIR%
    • %WINDIR%\System32
    • %WINDIR%\Syswow64
  3. Delete all copies of the ransom note file, original_filename.cmsnwned_readme.
  4. Empty Recycle Bin.
  5. Install a reliable malware scanner.
  6. Scan your system for malware leftovers and delete them immediately if they are found. 100% FREE spyware scan and
    tested removal of IEncrypt Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *