Watch Out! “Incaseformat” Came Back

Watch Out! “Incaseformat” Came Back

January 18, 2021 | Adeline Zhang

The outbreak of Incaseformat virus has affected many industries recently. It is critical because it has removed all non-system files and caused serious data loss. This virus appeared before, now it has come back and infected many hosts, especially in China. As of 14 Jan, 2:00 P.M.(GMT+8), NSFOCUS Labs and NSFOCUS Threat Intelligence have detected 468 file hash of its variants.

The earliest appearance of the virus was probably in 2009, and mainstream anti-virus software vendors all named the virus Worm.Win32.Autorun. As the name shows, it spreads by the Windows platform through mobile media. When the virus is running on a non-system disk, it will copy itself to the Windows directory, disguise its icon as a folder, and modify the registry to realize self-starting. The virus in this directory will run after the host restarts, and then traverse all the directories under the non-system partition and set it to hidden, and create a virus file with the same name. In addition, it will modify the registry to disable display of hidden files, hide file type extensions of known files, and finally delete all files in the non-system partition and create the incaseformat.log file.

Up to 40% of the world’s attacks originate from China. China-based threat intelligence provides complete visibility into cyber threat landscape. NSFOCUS Threat Intelligence provides its unique value to cover the 40% threats via the 10,000 Active Customers, 15,000 NSFOCUS devices acting as network sensors, and 400 Million end-points with our partnerships with AV companies (Kingsoft) operating inside China. The other “60%” is collected throughout the rest of the world via our research centers worldwide.

Empowered by NSFOCUS Threat Intelligence, all NSFOCUS products share real-time threat information and are equipped with the capability to detect virus and its variants.