INCANTO Ransomware
Posted: September 18, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 11 |
| First Seen: | September 18, 2017 |
|---|---|
| Last Seen: | February 22, 2020 |
| OS(es) Affected: | Windows |
The INCANTO Ransomware is a file-locking Trojan that prevents media such as documents or pictures from opening. Threat actors may use this Trojan's attacks to demand money for helping you unlock your content, although paying any ransoms they request isn't recommended over free solutions. Backing files up to another device can remove the risk of data loss from this Trojan, and anti-malware products may delete the INCANTO Ransomware or keep it from installing.
An Incantation Chaining Up Your Media
Thanks to many open-source and for-rental resources that make it easier than ever for crooks to administer Trojan campaigns without knowing much about programming, file-locking Trojans are one of the most widely-distributed threats of the year. How different attacks distinguish themselves from one another often comes down to non-coded features, such as which social engineering strategies and psychological tricks the con artist uses to encourage a favored reaction from the victim. The newest INCANTO Ransomware, in demonstration, offers a small, free file-unlocking service to prove its worth before collecting a ransom on a full decryption solution.
This Trojan uses RSA-1024-based enciphering attacks to 'lock' content like AVI videos, PDF documents, GIF pictures, or ZIP archives, among others. It also may filter data according to the residing directory, and malware researchers find no indications of the INCANTO Ransomware being designed to damage essential OS components like the Windows folder. After converting files into RSA-encoded versions, the INCANTO Ransomware differentiates them from non-locked content by adding '.INCANTO' extensions to their names but doesn't remove the first extension.
The INCANTO Ransomware's threat actors are communicating through Notepad messages with their victims, which the Trojan drops on the desktop or in the same folders as any hostage media. The instructions for buying a decryption solution provides both email and BitMessage-based communication methods, as well as recommending a third-party, file-sharing site that's most widely in use with Russian PC users. However, all this text is in English, and malware experts fail to detect any advanced, region-specific filtering options in the INCANTO Ransomware's installation or payload.
Breaking an Enchantment on Your Saved Data
While a great portion of its ransom note appears to be a plagiarism from a previous campaign, the INCANTO Ransomware has no identifiable connections to previous threat actors and may use unpredictable installation exploits. Malware researchers most often find file-locking Trojans installing themselves through email attachments or con artists brute-forcing their way into the servers of private businesses. Casual PC users also could infect their PCs by downloading unsafe content, such as fake updates and gaming cracks, through corrupted websites, torrents or Web advertisements.
The RSA encryption is typically difficult or impractical to reverse-engineer, and even simpler encryption attacks may not always have a solution available for the users to unlock their files. Backing up content to removable devices or network-based storage can remove this Trojan's bargaining leverage, and malware analysts suggest avoiding paying any ransom whenever possible. Recommended disinfection protocols include disabling any network connections while restarting your computer with the Safe Mode feature, before using any dedicated anti-malware scanner for uninstalling the INCANTO Ransomware.
With Russian Web-usage characteristics, an Italian-based extension and English messages to the users it attacks, the INCANTO Ransomware offers a muddled view of the nationality of its campaign. The border-crossing nature of file-locking Trojans may become even more relevant in the future, with Trojans like the INCANTO Ransomware holding content hostage opportunistically, no matter where they find it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.