INCANTO Ransomware

The INCANTO Ransomware is a file-locking Trojan that prevents media such as documents or pictures from opening. Threat actors may use this Trojan's attacks to demand money for helping you unlock your content, although paying any ransoms they request isn't recommended over free solutions. Backing files up to another device can remove the risk of data loss from this Trojan, and anti-malware products may delete the INCANTO Ransomware or keep it from installing.

An Incantation Chaining Up Your Media

Thanks to many open-source and for-rental resources that make it easier than ever for crooks to administer Trojan campaigns without knowing much about programming, file-locking Trojans are one of the most widely-distributed threats of the year. How different attacks distinguish themselves from one another often comes down to non-coded features, such as which social engineering strategies and psychological tricks the con artist uses to encourage a favored reaction from the victim. The newest INCANTO Ransomware, in demonstration, offers a small, free file-unlocking service to prove its worth before collecting a ransom on a full decryption solution.

This Trojan uses RSA-1024-based enciphering attacks to 'lock' content like AVI videos, PDF documents, GIF pictures, or ZIP archives, among others. It also may filter data according to the residing directory, and malware researchers find no indications of the INCANTO Ransomware being designed to damage essential OS components like the Windows folder. After converting files into RSA-encoded versions, the INCANTO Ransomware differentiates them from non-locked content by adding '.INCANTO' extensions to their names but doesn't remove the first extension.

The INCANTO Ransomware's threat actors are communicating through Notepad messages with their victims, which the Trojan drops on the desktop or in the same folders as any hostage media. The instructions for buying a decryption solution provides both email and BitMessage-based communication methods, as well as recommending a third-party, file-sharing site that's most widely in use with Russian PC users. However, all this text is in English, and malware experts fail to detect any advanced, region-specific filtering options in the INCANTO Ransomware's installation or payload.

Breaking an Enchantment on Your Saved Data

While a great portion of its ransom note appears to be a plagiarism from a previous campaign, the INCANTO Ransomware has no identifiable connections to previous threat actors and may use unpredictable installation exploits. Malware researchers most often find file-locking Trojans installing themselves through email attachments or con artists brute-forcing their way into the servers of private businesses. Casual PC users also could infect their PCs by downloading unsafe content, such as fake updates and gaming cracks, through corrupted websites, torrents or Web advertisements.

The RSA encryption is typically difficult or impractical to reverse-engineer, and even simpler encryption attacks may not always have a solution available for the users to unlock their files. Backing up content to removable devices or network-based storage can remove this Trojan's bargaining leverage, and malware analysts suggest avoiding paying any ransom whenever possible. Recommended disinfection protocols include disabling any network connections while restarting your computer with the Safe Mode feature, before using any dedicated anti-malware scanner for uninstalling the INCANTO Ransomware.

With Russian Web-usage characteristics, an Italian-based extension and English messages to the users it attacks, the INCANTO Ransomware offers a muddled view of the nationality of its campaign. The border-crossing nature of file-locking Trojans may become even more relevant in the future, with Trojans like the INCANTO Ransomware holding content hostage opportunistically, no matter where they find it.