This article aims to show you how to remove QkG ransomware entirely from the infected PC and how to restore encrypted files.
QkG ransomware strain has been recently detected by security researchers. An infection with QkG ransomware leads to encryption of all word files stored on the host. The threat is reported to use the XOR encryption for corruption of target files and is believed to be under development. After encryption, all encrypted files remain with unchanged names and extensions. How they can be recognized is by a ransom note that appears when an opening is initiated. The creators of QkG ransomware demand a ransom payment in Bitcoins for file decryption.
|Short Description||The ransomware encrypts files on your computer and demands a ransom.|
|Symptoms||The ransomware will encrypt your DOC and DOCX files making them inaccessible. It will then drop a ransom note and open it automatically.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by QkG |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss QkG.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
QkG Ransomware – Spread Techniques
One of the most common ways for distribution of ransomware payloads is spam email messages. They usually contain file attachments that carry out the malicious code or present links to a corrupted web page. In order to make users more prone to interact with the infected elements, as this results in an infection with QkG ransomware, crooks spoof the email address and the sender’s name. Usually, they pose as representatives of popular and trustworthy businesses, governmental institutions, websites, etc.
At this point, the QkG ransomware is known to be exclusively distributed via corrupted Microsoft Office documents that have malicious macros embedded in them. What triggers the infection is the button “Enable Editing” that appears at the top of the document. It enables the execution of the malicious macro scripts attached to the document and that lead to infection with QkG ransomware.
QkG Ransomware – Technical Insight
When the QkG crypto virus’ payload penetrates the system, it may initiate a download of additional malicious files from its C2 server or create a few itself. The folders that are often used by ransomware threats to store their files are:
Once QkG ransomware establishes its files on the system it triggers a consequence of processes to fulfill the attack to its end. As a result, it may access the Windows Registry to modify the values in specific keys. These keys are usually the Run and RunOnce as they control the performance of all currently running processes. The ransomware may use them to open its ransom note and set its payload to start automatically on each Windows load.
Furthermore, it is possible that QkG crypto virus will run the command line below to delete all Shadow Volume copies stored on the PC:
→vssadmin.exe delete shadows /all /Quiet
QkG Ransomware – Encryption Process
QkG ransomware employs the XOR cipher algorithm to encrypt all files that have the DOC and DOCX extensions. Security researchers report that the QkG ransomware is designed to encipher Microsoft Word files only. So all files that store audio records, videos, presentations, projects, spreadsheets, databases, and images are likely to work correctly after the infection. However, the QkG Ransomware is under development, and it is possible that its creators will release a new variant that targets other file formats.
What happens with encrypted files is that their original content becomes inaccessible. Unlike other data locker ransomware, QkG does not change the names and the extension of the corrupted files but appends a ransom note to them. So each encrypted file displays the following ransom note once it is opened:
And it reads:
I’m QkG@PTM17! by TNA@MHT-TT2
Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg
Contact Email: ***
The hacker with a nickname QkG@PTM17! demands a ransom of $300 in Bitcoins for data decryption solution. If you fall a victim of the QkG ransomware, be advised to avoid funding criminals’ vicious activities by paying them the ransom. Better try to deal with the problem by yourself. Some of the possible ways are described in the instructions at the end of this article. Any negotiations with criminals are also better to be restricted.
Remove QkG Ransomware and Decrypt Files
In case of infection with QkG ransomware, you have delete it as soon as possible. The removal guide below aims to help all infected users to get rid of the threat. We have listed two approaches – manual and automatic. Both of them include a detailed description of all actions that should be fulfilled at each step. Have in mind that QkG ransomware has a complex code which makes it manual removal a hard task and some leftovers may remain on the PC. For maximum efficiency security researchers recommend scanning the machine with an advanced anti-malware that will catch all malicious files and objects so you can then remove them with a few mouse clicks.
Don’t forget to back up all encrypted files on an external drive and then try to recover them via alternative data recovery solutions.