This week, computer security professionals has received reports of yet another ransomware named .INFOWAIT file extension ransomware. This ransomware spreads via spam emails and malware files and appends the .INFOWAIT extension to encrypted files.
The INFOWAIT ransomware is a variant of the STOP ransomware. It affects all current versions of MS Windows operating system like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses a hybrid encryption mode to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music. The .INFOWAIT file extension ransomware encrypts almost of files, including common as:
.ltx, .t12, .db0, .xmind, .rofl, .big, .xlsb, .ai, .srw, .py, .dmp, .pem, .erf, .lrf, .wpg, .xml, .css, .rtf, .apk, .xbplate, .wb2, .mlx, .nrw, .dng, .wsd, .z3d, .wdp, .ppt, .ncf, .xlsm, .der, .cdr, .lvl, .wp4, .slm, .bsa, .m2, .wn, .xar, .xx, .odc, .dxg, .vtf, .wp6, .iwd, .ysp, .wmv, .psd, .sb, .xll, .wsc, .zip, .zdc, .desc, .wpe, .wdb, .wmd, .wbmp, .svg, .fpk, .docx, .js, .vfs0, .zi, .wpl, .vpp_pc, .jpg, .esm, .r3d, .rwl, .sum, .dcr, .sr2, .wp5, .cer, .snx, .jpe, .wpd, .wire, .ptx, .xlgc, .pkpass, .map, .odm, .ztmp, .hplg, .zip, .wbk, .bc7, .kdb, .sid, .syncdb, .rar, .wpd, .mddata, .ws, .p7b, .avi, .t13, .srf, .wotreplay, .raf, .itm, .wmv, .wmf, .xyp, .mef, .pef, .bkf, .sav, .wm, .wbc, .mov, .hkx, .wp7, .wgz, .m3u, .mdf, .mdb, .odp, .png, .iwi, .x3d, .cr2, .orf, .icxs, .das, .xdb, .bc6, .sie, .fos, .rim, .0, .pdd, .x3f, .menu, .3ds, .y, .xls, .qic, .xbdoc, .bik, .xdl, .forge, .m4a, .mdbackup, .x, .arw, .wps, .txt, .odb, .bar, .itdb, .d3dbsp, .tor, .xlsm, .doc, .xlsx, .wpa, .jpeg, .wri, .odt, .arch00, .dbf, .itl, .rb, .x3f, .xyw, .xld, .wbz, .wav, .webdoc, .rw2, .asset, .raw, .epk, .psk, .crt, wallet, .fsh, .gdb, .pptm, .upk, .ybk, .rgss3a, .zw, .yal, .wbd, .pst, .xy3, .dazip, .wma, .p7c, .mpqge, .ff, .indd, .3fr, .pak, .bay, .ntl, .xmmap, .wot, .w3x, .kdc, .re4, .lbf, .docm, .xls, .bkp, .wsh, .kf, .wma, .zdb, .zif, .3dm, .ibank, .blob, .wpw, .sidd, .pptx, .eps, .z, .mp4, .dba, .mrwref, .gho, .2bp, .wpt
Once a file is encrypted, its extension changed to .INFOWAIT. Next, the ransomware creates a file named ‘!readme.txt’. This file contain an information on how to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransom demanding message below:
Your databases, files, photos, documents and other important files are encrypted and have the extension: .INFOWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $290 if you contact us first 72 hours.
E-mail address to contact us:
Reserve e-mail address to contact us:
If your files have been locked by the INFOWAIT ransomware virus, We suggests: do not to pay the ransom. If this malware make money for its creators, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the .INFOWAIT file extension ransomware must seriously disrupt your live. The free utilities listed below has the ability to find out and remove this virus and prevent any further damage. After that you can restore encrypted photos, documents and music from their Shadow Copies or using file recover utility.
Instructions which is shown below, will help you to remove INFOWAIT ransomware virus as well as restore encrypted files stored on your system drives.
Table of contents
- How to decrypt .INFOWAIT files
- How to remove INFOWAIT ransomware
- How to restore .INFOWAIT files
- How to protect your machine from INFOWAIT ransomware?
How to decrypt .INFOWAIT files
Currently Dr.Web antivirus company is able to decrypt some variants of the STOP ransomware including .INFOWAIT and .DATAWAIT extension crypted files (Submit a request to decrypt files). But if you were not using a Dr.Web antivirus license when your files have been encrypted then you should pay a fee.
Except for INFOWAIT ransomware decryptor that was made by the Dr. Web antivirus, at the moment there is no other free way to decrypt .INFOWAIT files. But you have a chance to restore encrypted files for free using shadow volume copies or file restore applications.
How to remove INFOWAIT ransomware
The .INFOWAIT file extension ransomware can hide its components which are difficult for you to find out and remove completely. This can lead to the fact that after some time, the ransomware virus once again infect your machine and encrypt your personal files. Moreover, I want to note that it is not always safe to delete ransomware manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best way to look for and get rid of INFOWAIT ransomware is to use free malicious software removal software that are listed below.
How to remove INFOWAIT ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can search for security threats such INFOWAIT ransomware virus, ad-supported software and other malicious software that most ‘classic’ antivirus programs fail to pick up on. Moreover, if you have any INFOWAIT ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Installing the Zemana Free is simple. First you will need to download Zemana from the link below. Save it directly to your MS Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
When downloading is finished, launch it and follow the prompts. Once installed, the Zemana AntiMalware will try to update itself and when this task is finished, click the “Scan” button to begin scanning your computer for the INFOWAIT ransomware virus and other malware and PUPs.
Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the Zemana Anti Malware program is scanning, you can see number of objects it has identified as threat. Review the scan results and then click “Next” button.
The Zemana Free will delete INFOWAIT ransomware and other security threats and add threats to the Quarantine.
Use MalwareBytes to get rid of INFOWAIT ransomware
Manual INFOWAIT ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus may be not completely removed. We advise that run the MalwareBytes Anti Malware that are completely clean your computer of ransomware. Moreover, this free program will help you to remove malicious software, PUPs, ad-supported software and toolbars that your PC system can be infected too.
Visit the page linked below to download MalwareBytes Free. Save it to your Desktop.
Category: Security tools
Update: February 5, 2019
Once the download is complete, close all windows on your machine. Further, run the file called mb3-setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.
It will show the “Setup wizard” that will assist you setup MalwareBytes AntiMalware on the machine. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, click Finish button. Then MalwareBytes Anti Malware (MBAM) will automatically start and you may see its main window as displayed on the image below.
Next, click the “Scan Now” button . MalwareBytes AntiMalware (MBAM) tool will begin scanning the whole PC system to find out INFOWAIT ransomware virus related files, folders and registry keys. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the MalwareBytes is scanning, you can see how many objects it has identified either as being malicious software.
When the system scan is finished, you will be shown the list of all found threats on your PC. Next, you need to click “Quarantine Selected” button.
The MalwareBytes will remove INFOWAIT ransomware virus and other security threats. After the procedure is finished, you can be prompted to restart your system. We recommend you look at the following video, which completely explains the process of using the MalwareBytes Anti Malware to get rid of browser hijacker infections, adware and other malware.
Remove INFOWAIT ransomware virus with KVRT
KVRT is a free portable application that scans your PC for adware, potentially unwanted applications and ransomware viruss like INFOWAIT ransomware and helps remove them easily. Moreover, it will also allow you get rid of any malicious internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT utility will begin scanning the whole personal computer to find out INFOWAIT ransomware virus and other malware. This process can take quite a while, so please be patient. While the KVRT is scanning, you can see how many objects it has identified either as being malware.
After the scan is finished, KVRT will open a list of all threats found by the scan as on the image below.
Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to start a cleaning procedure.
How to restore .INFOWAIT files
In some cases, you can restore files encrypted by INFOWAIT ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Recover .INFOWAIT encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
ShadowExplorer can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: February 27, 2018
Once the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Launch the ShadowExplorer utility and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the INFOWAIT ransomware virus as displayed in the following example.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and press ‘Export’ button as shown in the figure below.
Use PhotoRec to recover .INFOWAIT files
Before a file is encrypted, the INFOWAIT ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover software such as PhotoRec.
Download PhotoRec on your Windows Desktop from the following link.
Category: Security tools
Update: March 1, 2018
After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen like below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown in the following example.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from INFOWAIT ransomware?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your machine from INFOWAIT ransomware
Download CryptoPrevent from the link below.
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can choose a level of protection, as shown on the image below.
Now click the Apply button to activate the protection.
To sum up
Now your personal computer should be clean of the .INFOWAIT file extension ransomware. Remove MalwareBytes AntiMalware and Kaspersky virus removal tool. We suggest that you keep Zemana Anti Malware (ZAM) (to periodically scan your PC for new malware). Moreover, to prevent ransomware virus, please stay clear of unknown and third party software, make sure that your antivirus program, turn on the option to stop or find out ransomware.
If you need more help with .INFOWAIT file extension ransomware related issues, go to here.