.aqva Ransomware — How to Remove Virus Infections

.aqva Ransomware — How to Remove Virus Infections

This article will aid you to remove .aqva Ransomware. Follow the ransomware removal instructions provided at the end of the article.

.aqva Ransomware is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .aqva extension. The .aqva Ransomware will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

Name.aqva Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .aqva before the affected files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .aqva Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .aqva Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.aqva Ransomware – Distribution Techniques

The .aqva ransomware samples have been found in a limited attack campaign which does not give out which is the main distribution tactic. This is a new release that is part of the Dharma/CrySiS ransomwar family and as such uses the most popular tactics. Some of them include the following:

  • Email Phishing Scams — The hackers will create email messages that pose as legitimate notifications coming in from services or companies. This is done by copying their design elements and body contents which makes it very difficult to differentiate them from the real ones. Usually the .aqva ransomware files will be attached directly or linked in the messages.
  • Malicious Sites — Fake sites can be crafted by the hackers that imitate well-known services, product landing pages, portals and search engine. Whenever the users interact with any content hosted on them the .aqva ransomware infection may be triggered.
  • Infected Documents — This is a typical payload delivery mechanism in which the .aqva ransomware is delivered by a script that is embedded in the macros of documents. This is especially dangerous as they can be delivered across all popular file formats: text documents, presentations, databases and spreadsheets.
  • Application Installers — They are made by taking the legitimate setup files from their official sources and modifying them to include the relevant code. Usually the hackers target the most popular applications that are downloaded by end users: creativity suites, system utilities, office and productivity tools.
  • Dangerous Web Browser Plugins — Another popular mechanism is to create the so-called “hijackers” which represent dangerous plugins which are made compatible with the most popular web browsers. They are usually uploaded to the relevant repositories using elaborate descriptions and fake user reviews and developer credentials.

.aqva Ransomware – Detailed Analysis

As a new sample belonging to the Dharma family of threats the .aqva ransomware is built on a modular platform. This enables each campaign to behave in a different way. According to the previous samples this virus will probably launch some of the most popular modules as attributed to the main Dharma ransomware engine:

  • Initial Information Gathering — The ransomware engine can be configured to retrieve sensitive information from the infected computers. An example is the personal information that can directly reveal the identity of the users. This is done by programming the engine to look for strings such sa their name, address, phone number, interests and any stored account credentials. This same mechanism can be used to create an unique ID that is assigned to each individual computer. It is usually done by using an algorithm that takes its input values from values from data such as the installed hardware parts list, environment values and user settings.
  • Security Bypass — Using the acquired information the .aqva ransomware is able to scan the local machines for the presence of any security software that can block the .aqva infection. Their real-time engines can be bypassed or entirely removed and the list of the most common types is the following: anti-virus products, firewalls, intrusion detection systems, debug environments and virtual machine hosts.
  • Boot Options Modification — The main .aqva ransomware engine can be programmed to change important parameters and configuration files that will lead to the creation of a scheduled task. This means that the threat will be automatically launched as soon as the computer is powered on. In many cases this action will also block access to the boot and recovery menus. This action will render most manual user recovery instructions non-working as they depend on this access.
  • Windows Registry Modifications — The .aqva main engine can modify the Windows Registry in order to change values that belong both to the operating system and any third-party applications. This leads to severe performance issues to the point of rendering the system completely unusable until the virus is removed. Individual applications can be affected as well — some functions may stop working and unexpected errors can come up.
  • Data Removal — The ransomware can delete sensitive data, including personal files and system fles such as Restore Points, Backups and Shadow Volume Copies. When this is engaged the victims will need to use a combination of a data recovery software and anti-malware solution.
  • Additional Payload Delivery — Viruses like this one are usually programmed to deliver additional malware to the compromised machines. This is done because the engine has already bypassed the security and the delivered threat can launch all sorts of actions.

The .aqva ransomware samples can be reconfigured at any given time.

.aqva Ransomware – Encryption Process

Like previous Dharma malware samples the .aqva ransomware will launch the encryption engine once all prior modules have finished running. It will probably use a built-in list of target file type extensions which are to be processed by a strong cipher. An example list can include the following data types:

  • Backups
  • Databases
  • Archives
  • Images
  • Music
  • Videos

All affected files will receive the .aqva extension.

Remove .aqva Ransomware and Try to Restore Data

If your computer system got infected with the .aqva ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share