Remove QkG Ransomware – Restore Encrypted Files
THREAT REMOVAL

Remove QkG Ransomware – Restore Encrypted Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by QkG and other threats.
Threats such as QkG may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

https://sensorstechforum.com/wp-content/uploads/2017/11/qkg-ransom-note-sensorstechforum.png

This article aims to show you how to remove QkG ransomware entirely from the infected PC and how to restore encrypted files.

QkG ransomware strain has been recently detected by security researchers. An infection with QkG ransomware leads to encryption of all word files stored on the host. The threat is reported to use the XOR encryption for corruption of target files and is believed to be under development. After encryption, all encrypted files remain with unchanged names and extensions. How they can be recognized is by a ransom note that appears when an opening is initiated. The creators of QkG ransomware demand a ransom payment in Bitcoins for file decryption.

Threat Summary

NameQkG
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer and demands a ransom.
SymptomsThe ransomware will encrypt your DOC and DOCX files making them inaccessible. It will then drop a ransom note and open it automatically.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by QkG

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss QkG.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

QkG Ransomware – Spread Techniques

One of the most common ways for distribution of ransomware payloads is spam email messages. They usually contain file attachments that carry out the malicious code or present links to a corrupted web page. In order to make users more prone to interact with the infected elements, as this results in an infection with QkG ransomware, crooks spoof the email address and the sender’s name. Usually, they pose as representatives of popular and trustworthy businesses, governmental institutions, websites, etc.

At this point, the QkG ransomware is known to be exclusively distributed via corrupted Microsoft Office documents that have malicious macros embedded in them. What triggers the infection is the button “Enable Editing” that appears at the top of the document. It enables the execution of the malicious macro scripts attached to the document and that lead to infection with QkG ransomware.

EnableEditing button word qkG ransomware attack stf

QkG Ransomware – Technical Insight

When the QkG crypto virus’ payload penetrates the system, it may initiate a download of additional malicious files from its C2 server or create a few itself. The folders that are often used by ransomware threats to store their files are:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

Once QkG ransomware establishes its files on the system it triggers a consequence of processes to fulfill the attack to its end. As a result, it may access the Windows Registry to modify the values in specific keys. These keys are usually the Run and RunOnce as they control the performance of all currently running processes. The ransomware may use them to open its ransom note and set its payload to start automatically on each Windows load.

Furthermore, it is possible that QkG crypto virus will run the command line below to delete all Shadow Volume copies stored on the PC:

→vssadmin.exe delete shadows /all /Quiet

QkG Ransomware – Encryption Process

QkG ransomware employs the XOR cipher algorithm to encrypt all files that have the DOC and DOCX extensions. Security researchers report that the QkG ransomware is designed to encipher Microsoft Word files only. So all files that store audio records, videos, presentations, projects, spreadsheets, databases, and images are likely to work correctly after the infection. However, the QkG Ransomware is under development, and it is possible that its creators will release a new variant that targets other file formats.

What happens with encrypted files is that their original content becomes inaccessible. Unlike other data locker ransomware, QkG does not change the names and the extension of the corrupted files but appends a ransom note to them. So each encrypted file displays the following ransom note once it is opened:

qkg-ransom-note-sensorstechforum

And it reads:

I’m [email protected]! by [email protected]
Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg
Contact Email: ***
7800320014003400580036001700380068003000

The hacker with a nickname [email protected]! demands a ransom of $300 in Bitcoins for data decryption solution. If you fall a victim of the QkG ransomware, be advised to avoid funding criminals’ vicious activities by paying them the ransom. Better try to deal with the problem by yourself. Some of the possible ways are described in the instructions at the end of this article. Any negotiations with criminals are also better to be restricted.

Remove QkG Ransomware and Decrypt Files

In case of infection with QkG ransomware, you have delete it as soon as possible. The removal guide below aims to help all infected users to get rid of the threat. We have listed two approaches – manual and automatic. Both of them include a detailed description of all actions that should be fulfilled at each step. Have in mind that QkG ransomware has a complex code which makes it manual removal a hard task and some leftovers may remain on the PC. For maximum efficiency security researchers recommend scanning the machine with an advanced anti-malware that will catch all malicious files and objects so you can then remove them with a few mouse clicks.

Don’t forget to back up all encrypted files on an external drive and then try to recover them via alternative data recovery solutions.

Note! Your computer system may be affected by QkG and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as QkG.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove QkG follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove QkG files and objects
2. Find files created by QkG on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by QkG
Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections. She believes that in times of constantly evolving dependency of network connected technologies, people should spread the word not the war.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...