What is InfinityLock ransomware? And how does it execute its attack?
InfinityLock ransomware is a file-encrypting threat discovered by Leo, a malware security researcher. The InfinityLock ransomware developers proliferates the malware by presenting it as a “crack” for Adobe Premiere Pro software. It uses a sophisticated encryption in encrypting its targeted files and changes the infected PC’s desktop wallpaper and delivers a ransom note named INFINITYLOCK_UNIQEID.txt that contains the following message:
“YOU BECAME A VICTIM OF THE INFINITYLOCK RANSOMWARE!
ALL YOUR FILES HAVE BEEN ENCRYPTED
FOR EACH TRY TO DO ANYTHING I WILL DELETE FILES
PAY 0.17 BITCOINS TO THIS ADDRESS : 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXE
YOU CAN BUY BITCOINS ON “BLOCKCHAIN.INFO”
SEND YOUR UNIQE ID IN THE DESCRIPTION OF THE BITCOIN PAYMENT
YOU CAN FIND THEM ON YOUR DESKTOP IN “INFINITYLOCK_UNIQEID.TXT”
AFTER THE PAYMENT YOUR FILES WILL BE DECRYPTED!”
During the encryption process, InfinityLock appends a random file extension to each targeted files such as images, audio, video, archives, documents and other types of files using RSA 2048 encryption algorithm which will make it difficult to recover these files without a decryption tool. The malware also creates three files – InifinityLock_Recover_Instructions.png, InfinityLock_UniqeID.txt and InfinityLock_Recover_Instructions.txt. All these files are placed on the desktop and the png file is the one set as desktop wallpaper. Aside from that, the malware also uses three separate executable files to facilitate its operations namely: encrypt.exe, setinstructions.exe and sendhelp.exe.
InfinityLock also displays a fake Command Prompt window informing users about a ransomware attack. Here’s the full context of the message:
“[Windows Version]
C:\Users\[account name]>encrypt.exe -alldata -randomkeysend -rsa-2048 -alldrives
C:\Users\[account name]>setinstructions.exe -silent -desktop
C:\Users\[account name]>sendhelp.exe -incmd -me
YOU BECAME A VICTIM OF THE INFINITYLOCK RANSOMWARE !
ALL YOUR FILES HAVE BEEN ENCRYPTED
PAY 0.17 BITCOINS TO THIS ADDRESS_
[RANDOM CHARACTERS]”
Victims are also urged to send Bitcoins to the given address and include their unique ID number in the description in order to recover their files. However, time and time again, security experts do not recommend paying these crooks any single cent for no assurance is given that they will decrypt the encrypted files once payment is made. The best thing you could do is to eliminate InfinityLock by following the instructions provided at the end of this article.
How is InfinityLock distributed?
InfinityLock ransomware spreads as a malicious executable file named PremiereCrack.exe. According to security analysts, the InfinityLock ransomware payload is presented to users as a cracked copy of the Adobe System’s Adobe Premiere Pro CC by Adobe Systems Inc. which is a video editing and production software solution. Pirated copies of this software are used to distribute threats in the past, and right now, InfinityLock is also utilizing this method. Users are can most likely encounter this threat right after downloading software cracks from peer-to-peer networks, unofficial download sources such as free sharing sites offering software bundles, fake software update tools, Trojans and the old but gold malicious spam email campaigns. These third party software download sources sometimes present malicious applications as legitimate ones, thus, tricking users into downloading and running the malware-laden software. If you want to stir clear of any potential and serious threats, it would be best if you avoid downloading software cracks and download the software from its official website instead.
Eliminating InfinityLock ransomware isn’t easy, but with the removal instructions provided below, you’ll do just fine.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Processes tab and look for encrypt.exe, setinstructions.exe and sendhelp.exe. End each of their processes.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Adobe Premiere Pro or Adobe Premiere and then uninstall it.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following locations.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Look for the InfinityLock’s malicious files listed below and delete all of them.
- exe
- png
- txt
- txt
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that InfinityLock ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter and then go to the following path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 9: Look for suspicious registry entries created by InfinityLock and delete them.
Step 10: Close the Registry Editor and Empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if InfinityLock hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the InfinityLock ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between Apollolocker and http. Click OK.
- A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch the program.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.