Remove QkG Ransomware – Restore Encrypted Files

Remove QkG Ransomware – Restore Encrypted Files

This article aims to show you how to remove QkG ransomware entirely from the infected PC and how to restore encrypted files.

QkG ransomware strain has been recently detected by security researchers. An infection with QkG ransomware leads to encryption of all word files stored on the host. The threat is reported to use the XOR encryption for corruption of target files and is believed to be under development. After encryption, all encrypted files remain with unchanged names and extensions. How they can be recognized is by a ransom note that appears when an opening is initiated. The creators of QkG ransomware demand a ransom payment in Bitcoins for file decryption.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer and demands a ransom.
SymptomsThe ransomware will encrypt your DOC and DOCX files making them inaccessible. It will then drop a ransom note and open it automatically.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by QkG


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss QkG.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

QkG Ransomware – Spread Techniques

One of the most common ways for distribution of ransomware payloads is spam email messages. They usually contain file attachments that carry out the malicious code or present links to a corrupted web page. In order to make users more prone to interact with the infected elements, as this results in an infection with QkG ransomware, crooks spoof the email address and the sender’s name. Usually, they pose as representatives of popular and trustworthy businesses, governmental institutions, websites, etc.

At this point, the QkG ransomware is known to be exclusively distributed via corrupted Microsoft Office documents that have malicious macros embedded in them. What triggers the infection is the button “Enable Editing” that appears at the top of the document. It enables the execution of the malicious macro scripts attached to the document and that lead to infection with QkG ransomware.

EnableEditing button word qkG ransomware attack stf

QkG Ransomware – Technical Insight

When the QkG crypto virus’ payload penetrates the system, it may initiate a download of additional malicious files from its C2 server or create a few itself. The folders that are often used by ransomware threats to store their files are:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

Once QkG ransomware establishes its files on the system it triggers a consequence of processes to fulfill the attack to its end. As a result, it may access the Windows Registry to modify the values in specific keys. These keys are usually the Run and RunOnce as they control the performance of all currently running processes. The ransomware may use them to open its ransom note and set its payload to start automatically on each Windows load.

Furthermore, it is possible that QkG crypto virus will run the command line below to delete all Shadow Volume copies stored on the PC:

→vssadmin.exe delete shadows /all /Quiet

QkG Ransomware – Encryption Process

QkG ransomware employs the XOR cipher algorithm to encrypt all files that have the DOC and DOCX extensions. Security researchers report that the QkG ransomware is designed to encipher Microsoft Word files only. So all files that store audio records, videos, presentations, projects, spreadsheets, databases, and images are likely to work correctly after the infection. However, the QkG Ransomware is under development, and it is possible that its creators will release a new variant that targets other file formats.

What happens with encrypted files is that their original content becomes inaccessible. Unlike other data locker ransomware, QkG does not change the names and the extension of the corrupted files but appends a ransom note to them. So each encrypted file displays the following ransom note once it is opened:


And it reads:

I’m QkG@PTM17! by TNA@MHT-TT2
Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg
Contact Email: ***

The hacker with a nickname QkG@PTM17! demands a ransom of $300 in Bitcoins for data decryption solution. If you fall a victim of the QkG ransomware, be advised to avoid funding criminals’ vicious activities by paying them the ransom. Better try to deal with the problem by yourself. Some of the possible ways are described in the instructions at the end of this article. Any negotiations with criminals are also better to be restricted.

Remove QkG Ransomware and Decrypt Files

In case of infection with QkG ransomware, you have delete it as soon as possible. The removal guide below aims to help all infected users to get rid of the threat. We have listed two approaches – manual and automatic. Both of them include a detailed description of all actions that should be fulfilled at each step. Have in mind that QkG ransomware has a complex code which makes it manual removal a hard task and some leftovers may remain on the PC. For maximum efficiency security researchers recommend scanning the machine with an advanced anti-malware that will catch all malicious files and objects so you can then remove them with a few mouse clicks.

Don’t forget to back up all encrypted files on an external drive and then try to recover them via alternative data recovery solutions.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share