What is Incanto Ransomware? And how does it launch its attack?

Incanto ransomware is a new file-encrypting threat that first emerged on September 16, 2017. It mainly targets computers running Windows operating system. It highly damages files using the RSA 1024 and AES encryption algorithms. It spreads using spam emails with corrupted attached files. These corrupted files are used to initiate the attack. Once it successfully infiltrated the computer, it scans the computer’s directories looking for the following file types:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg, .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr.
It then drops a text file named “!!!GetBackData!!!.txt” on several locations in the computer. This text file contains the ransom message which is as follows:
“All your important files were encrypted on this PC.
All files with .INCANTO extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
To retrieve the private key, you need to contact us by email [email protected] send us an email your !!!GetBackData!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-2 not very big encrypted files and we wills end you back it in a decrypted form free.
To send files you can use http://dropmefiles.com/
Your personal id: [redacted]
E-mail address to contact us:
[email protected]
Reserve email address to contact us:
[email protected]
Losing your files is definitely not a pleasant experience. However, paying the demanded ransom in exchange for their recovery isn’t actually a good solution – In a way that you can’t trust these crooks. Most of the time, they tend to ignore their victims once payment is already sent. So really, you will just waste your money and time trying to negotiate with these up to no good criminals.
There are other ways for you to recover your encrypted files without paying a cent. If you’re lucky and Incanto ransomware didn’t bother to delete the Shadow Volume copies of your affected files, then you can definitely decrypt them.

How does Incanto ransomware spread its corrupted files?

Like stated earlier, Incanto uses one of the common distribution methods for ransomware infections which is through spam email campaigns. The crooks usually disguise this email with a catchy subject telling you that it’s an urgent matter and that you have to open the email and download its attachment. When you see this kind of email, you have to be cautious and check if the sender is reliable or not. Cyber crooks use these corrupted attachments to drop the ransomware’s malicious executable file on the computer and start its attack.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Proceed to the Processes tab and look for suspicious processes that can be related to the Incanto Ransomware and end them.

Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.

Step 4: Look for Incanto ransomware or any malicious program and then Uninstall it.

Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and then look for the corrupted files such as its ransom note, !!!GetBackData!!!.txt created by Incanto.

  • C:\Users\(your pcname)\AppData\Roaming
  • %TEMP%.
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Incanto ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.

However, if you are well-versed in making registry adjustments, then you can proceed to step 7.
Step 7: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 8: Navigate to the following path:
Step 9: Delete the registry value named DECRYPTINFO as well as other suspicious registry value.
Step 10: Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Incanto ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Follow the continued advanced steps below to ensure the removal of the Incanto ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the Safe Mode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between Apollolocker and http. Click OK. 

  1. A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.

  1. Click OK to launch the program.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register the program to protect your computer from future threats.
logo main menu

Copyright © 2023, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?