InfiniteTear Ransomware Virus - How To Remove?

-
 0
Type: Ransomware
Other names: InfinityShadow, The_Last
 

InfiniteTear (also referred to as The_Last and InfinityShadow) ransomware virus has been detected to follow a strict plan of encoding files with AES crypto key, and then exploiting RSA cipher to encrypt the decryption key. Random6 and Diablo6 have chosen similar tactics of exploiting two techniques of cryptography to make their product more invincible.

The infection takes its course from The_Last.exe file which has the assignment of functioning as the infection’s payload. There had been several samples detected, and the level of severity of them fluctuated between the following labels: Trojan.Win32.Ceatrg, Trojan.Ransom.InfiniteTear (A), Trojan-Ransom.Win32.Gen.fdm (1).

Infinite Tear ransomware virus

Behavioral details about this InfiniteTear crypto-virus

Much to security experts’ surprise, the infection exploits Telegram as C2 server. InfiniteTear ransomware (2) appends identical extensions to encrypted digital data: .JezRoz. Also, presumably on the desktop, victims will notice Important_Read_me.txt file that contains most of the necessary information.

The message explains that all personal information has been ruined and there is no way of accessing them but to pay the demanded ransom. This transaction has to be made in 7 days time. Otherwise, files are explained to be lost for good as the decryption key will be deleted. Recent Spongebob ransomware also indicated that if users do not pay the ransoms in a week, they will no longer have a chance to do so.

Hackers make promises to decode 2 files and we did not see any restrictions when it comes to selecting which should be recovered. To get back a couple of encrypted files, you will have to contact InfinityShadow@protonmail.com email address. However, the full recovery of data is only possible if you pay $260. Of course, this ransom is requested to be send via the bitcoin payment system. Currently, this equals 0.06009 BTC. Security experts draw a line: victims of crypto-viruses should never pay the fees (3).

File-recovery, removal and other relevant details about this crypto-virus

InfiniteTear ransomware currently has no cure: the file-encryption is done too well for security researchers to crack it a couple of days. Such processes require time and if researchers will be successful in coming up with a functional software to decode executables, we will inform you. For now, there are other options that you could observe and exploit. Look below to find out whether Shadow Volume Copies are still working. Additionally, there are cases when universal file recovery software helps.

Of course, the importance of having files in backup storages cannot be stressed out enough. If you become a victim of a ransomware infection, there is a very quick and easy way to deal with this. All you have to do is run a scan with an anti-malware tool and get rid of the virus. Then, once operating system is malware-free, you can import your digital data back. If you still have not taken advantage of online storages, we hope that you will consider doing so now.

Consider Reimage for the removal process of InfinityTear crypto-virus. This should help you discover all malicious threats in your operating system that you need to clean.

Which strategy of distribution was selected for this sample is currently not well defined. Nevertheless, we think that malicious spam campaigns are always strategies that ransomware infections follow. Also, weak remote desktop protocols (RDP) could be one of the reasons that malware managed to get in. Exploit kits could have also been explored for the sake of finding security vulnerabilities in certain devices.

Lastly, please remember that visiting unknown domains and also work in favor of hackers. Drive-by installations could automatically insert payloads into your device and you will have no idea that a malicious source is coming after your digital files, finances as security.

How to recover InfiniteTear ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before InfinityShadow has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of The_Last

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to InfiniteTear ransomware virus. You can check other tools here.


Step 3. Restore InfinityShadow affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually The_Last tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover InfiniteTear ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

References:

  1. Analysis. Virustotal.com.
  2. What is ransomware? Avast.com.
  3. Ransomware: don’t pay the ransom! Safecomputing.umich.edu.
     
 

About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

 
August 17, 2017 01:17, August 17, 2017 01:17
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *