INFOWAIT Ransomware

What is INFOWAIT Ransomware?

INFOWAIT Ransomware is a file-encrypting infection that derives from the STOP Ransomware family. Anti-Spyware-101.com research team is familiar with this family because we have already analyzed and reported many members from it, including Guvara Ransomware, Kiratos Ransomware, and KEYPASS Ransomware. Although these infections have unique elements, for the most part, they are identical. They attack vulnerable operating systems in the same manner. They do the same things once inside. Finally, they can be deleted using the same steps. If you have found that you need to remove INFOWAIT Ransomware from your operating system, you should continue reading this report. We discuss different methods you can employ to eliminate the infection, and, most important, we share our tips to help you protect the operating system against the invasion of malicious threats in the future. Also, note that the comments section below is open, and you can add your questions about the threat at any point.

How does INFOWAIT Ransomware work?

It is easiest to identify INFOWAIT Ransomware by the extension it adds to the corrupted files. Of course, this extension is “.INFOWAIT,” and it is also mentioned in the message delivered using the file named “!readme.txt,” which should be created in every location affected by the infection. Before the dangerous threat encrypts files, it has to enter the operating system, and our researchers warn that this malware usually employs RDP (remote desktop protocol) vulnerabilities and spam emails to slither in without the victim’s notice. Even if you are tricked into executing the threat on your own, you are not supposed to realize what it is that you are executing. Once in, INFOWAIT Ransomware creates entries in the Windows Registry and drops malicious files in the %LOCALAPPDATA% (on Windows XP the equivalent is %USERPROFILE%\Local Settings\Application Data\) directory. If these components are not deleted in time, the threat disables the Task Manager and even causes Explorer to crash. Of course, it is most important for the threat to encrypt files, which it does using a complex encryption algorithm.

A good signal that INFOWAIT Ransomware invaded your operating system, is a random window that pops up and shows Windows updates being installed. Since Windows updates do not start randomly, this should help you get a sense that something is not right. Unfortunately, most people realize that they need to delete INFOWAIT Ransomware only after all personal files are encrypted and the !readme.txt file is created. According to the message inside, “decrypt software” must be purchased if the victim wants to have their personal files decrypted. To learn more about the payments, victims are rushed to contact cybercriminals using the savefiles@india.com email address or via Bitmessage (BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch). The ransom is $290 if the victim contacts the attackers in 72 hours. We do not recommend contacting cybercriminals or paying the ransom because that is highly unlikely to help you restore your personal files. On the contrary, by exposing yourself to cyber attackers, you could be making it much easier for them to scam you now and many times in the future. After all, as long as they can reach you via email/Bitmessage, you will be at risk.

How to remove INFOWAIT Ransomware

INFOWAIT Ransomware is a major threat that you want to remove as soon as possible, but your files being held hostage might hold you back too. Although the attackers behind this malware are holding a decryptor over your head, you do not want to give in and follow their demands because that is unlikely to get you anywhere. Save your money and, instead, invest it into something useful; for example, anti-malware software that could automatically delete INFOWAIT Ransomware and, at the same time, secure your entire operating system. You can also remove this infection manually, but only if you can locate the .exe file that launched the infection and then identify the remaining malicious files because they have random names. Of course, your personal files will not be saved regardless of the method you choose, and we hope that you have backups that you can use to replace the corrupted files with.

Removal Instructions

1. Identify the launcher file with a random name, right-click it, and select Delete.
2. Find every copy of the !readme.txt file, right-click it, and select Delete.
3. Tap Win+R to access Run and then enter regedit into the box to access Registry Editor.
4. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
5. Right-click the value named SysHelper and select Delete.
6. Exit Registry Editor and then tap Win+E keys to access Windows Explorer.
7. Enter %LOCALAPPDATA% into the box at the top (%USERPROFILE%\Local Settings\Application Data\ on Windows XP systems).
8. Right-click and Delete two folders with random names, one of which contains a malicious .exe file with a random name, and the second one contains files named 2.exe, 4.exe, and updatewin.exe.
9. Right-click and Delete the file named script.ps1.
10. Empty Recycle Bin and then examine your system for leftovers using a legitimate malware scanner. Download Removal Tool100% FREE spyware scan and
    tested removal of INFOWAIT Ransomware*