What is Insta ransomware? And how does it execute its attack?
Insta ransomware is a new file-encrypting threat that was first spotted on May 30, 2018. According to crypto malware experts, it seems to be a new and improved version of Stroman ransomware. It uses a strong AES 256 encryption algorithm in locking its targeted files. The moment its malicious payload is dropped in the system, it begins to execute its attack by adding more malicious files and placing them on system folders to prevent any programs from interrupting its attack. It also modifies the Windows Registry in order to run on every system boot. After these changes are applied, it will start to scan the computer looking for files with the following formats:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2
Once it finds its targeted files, it will begin the encryption process by applying the AES 256 cipher in encoding the files. Following data encryption, it appends the .insta extension to every encrypted file and generate a file named “filesinfo.txt” which contains the following message:
“Your data set are encrypted.
All files with .insta extension are encrypted.
We can help decrypted files.
You will get decrypt soft + personal key(for your personal id) + manual.
For you to be sure, that we can decrypt your files
You can send us 1-2 encrypted files and we will send back it in a decrypted format FREE.
For download files use only dropmefiles.com not more than 10 Mb
Send us an email:
after wait decrypted files and further instructions.
You can send a message within 72 hours after encrypting, else full decrypt will be heavy.
Please use public email for contact: gmail etc.
For recover, your files – contact our email:
Your personal ID:
[redacted 36 characters]”
Although recovering the files using their Shadow Volume copies is not possible that does not mean that you should pay the ransom demanded. Remember cybercriminals can’t be trusted so you really can’t expect them to hold their end of the bargain once they receive the ransom. The best thing you can do is use whatever extra copies you have of the affected files until security experts are able to come up with a free decryptor.
How is the malicious payload of Insta ransomware distributed?
The malicious payload of Insta ransomware could reach your computer when you open an obfuscated attachment from your emails. This obfuscated attachment may be in the form of a document, an executable file, a ZIP file, etc. That’s why it’s best if you check the contents of the email as well as its sender before you open any attachments.
Make use of the following removal instructions to eliminate Insta ransomware and its malicious components from your computer.
Step 1: Restart your computer into Safe Mode.
Step 2: Next, you have to eliminate the process of Insta ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 3: After that, click the Processes tab and look for a process named “x1609y.exe” as well as other suspicious-looking processes that takes up most of your CPU’s resources and is most likely related to Insta ransomware and then end them all.
Step 4: Now that the malicious process is eliminated, close the Task Manager.
Step 5: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 6: Under the list of installed programs, look for Insta ransomware or anything similar and then uninstall it.
Step 7: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 8: Navigate to the following locations below and look for Insta ransomware’s malicious components like the file named filesinfo.txt as well as other suspicious files it has created and downloaded into the system and then delete all of them.
Step 9: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 10: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 11: Navigate to the following path:
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 12: Delete the registry keys and sub-keys created by Insta ransomware.
Step13: Close the Registry Editor and empty the contents of Recycle Bin.
After you’ve covered the steps provided above, you need to continue the removal process of Insta ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.