IFN643 Ransomware

PC security analysts have received reports of a threat attack involving the IFN643 Ransomware, a ransomware Trojan that is active in the wild currently. The first instance of the IFN643 Ransomware that was detected was a version of the IFN643 Ransomware that was still in development. Distribution of a version of the IFN643 Ransomware with a working executable file was not detected when the IFN643 Ransomware infections were first recorded. Malware researchers viewed the IFN643 Ransomware samples on Google's platform VirusTotal, where their author uploaded them. This is a common practice by threat authors, who will upload a sample of their attack to find out if anti-virus programs are capable of detecting the attack. VirusTotal compiles the efforts of multiple anti-virus platforms, providing a great benefit to computer users. However, it is very useful for threat creators that are attempting to test whether their creations can bypass established protection methods.

The IFN643 Ransomware is Still Under Development

The IFN643 Ransomware is a Trojan infection that carries out a ransomware attack similar to most encryption ransomware Trojans, such as CryptoWall or Locky. However, the IFN643 Ransomware attack is still not at that level of sophistication – although the IFN643 Ransomware is still under development and has not been observed carrying out attacks in the wild. The IFN643 Ransomware is designed to encrypt common files that would have value to most computer users. For example, the IFN643 Ransomware will target documents, media files and databases. The IFN643 Ransomware will scan the victim's computer for certain file types, looking for files with the following extensions (among many others):

.3GP, .AVI, .BMP, .CSV, .DJVU, .DOCM, ,DOC, .EPUB, .DOCX .FLV, .GIF, .IBOOKS,.JPEG, .JPG, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PNG, .PPT .PPTX, .PPSX, .RTF, .SWF, .TIFF, .TIF, .TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML.

Whenever the IFN643 Ransomware detects files with the extensions it is searching for, the IFN643 Ransomware will encrypt them by using a strong encryption algorithm. Files that have been encrypted by the IFN643 Ransomware will become inaccessible. Their icon will appear in the Windows Explorer differently, and their file extension will have been changed to .the IFN643 – once the IFN643 Ransomware is released, it is likely that its extension will also be changed.

The IFN643 Ransomware delivers a ransom note in the form of a text file dropped on the victim's Desktop. The file is quite short, is named 'the IFN643_Malware_readme.txt' and reads as follows:

'Your most critical files have been encrypted 🙂
Send $1000 in Bitcoin to [random characters] if you need them back.'

It is likely that this is a placeholder message for whatever monetization scheme the authors of the IFN643 Ransomware will wish to use in the future. At the current exchange rate, $1000 USD is about 1.4 BitCoin, which may be much too expensive for most computer users. In any case, PC security researchers do not recommend that computer users pay the IFN643 Ransomware's ransom. There is no guarantee that the people responsible for the IFN643 Ransomware attack will keep their promise and restore the victim's files. It is equally likely that they will simply ignore the victim or demand an even larger ransom payment.

Dealing with an IFN643 Ransomware Infection

Although the IFN643 Ransomware is not yet active in the wild, dealing with these infections is similar to how computer users would deal with other, similar threats. PC security researchers advise computer users to remove the IFN643 Ransomware with the help of a reliable security program or wipe clean the affected computer. Files encrypted by the IFN643 Ransomware can be restored from a backup. This is why the best preventive method for the IFN643 Ransomware and other ransomware Trojans is to establish backups of important files. If files are backed up, computer users can simply replace the encrypted copies with backups and avoid having to deal with the IFN643 Ransomware.