.wq2k Files Virus - How to Remove It

.wq2k Files Virus – How to Remove It

This blog post has been made with the primary reason to explain what is the .wq2k files ransomware and how you can remove it from your computer plus how to try and restore encrypted files.

A new variant of a ransomware, detected back in 2018, called B2DR ransomware was recently discovered. The virus aims to encrypt the files on the affected machines leaving behind the .wq2k file extension to the encrypted files. The virus also drops a ransom note which aims to notify victims that their files have been encrypted and they have to pay a hefty ransom in order to recover the encrypted files and get them to open again. If your computer has been affected by the B2DR ransomware virus, we would strongly suggest that you read the article thoroughly.

Threat Summary

Name.wq2k Files Virus
Short DescriptionB2DR virus is a typical ransomware that follows the classic infection behaviour pattern by encrypting target files with the .b2dr extension.
SymptomsComputer users will be unable to access their data which is encrypted with the .wq2k extension.
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by .wq2k Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .wq2k Files Virus.

.wq2k Virus – Infection Methods

For the .wq2k ransomware virus to infect computers, the infection may be replicated via various different methods. Among the most commonly used infection method is e-mail spam messages sent to victims. These “malspam” e-mails may often carry malicious attachments, which often pretend to be legitimate spreadsheets, documents, presentations, CV’s and several other types of files that can be masked to appear legitimate. For the users to fall victims to this ransomware, the crooks often tend to mask their files as being important, such as a letter from their bank, a receipt, an invoice and something else that is urgent.

Another place where the infection files could hide can possibly be via various different types of fake software and files that are uploaded online. Besides documents, crooks may upload programs that pretend to be:

  • Software installers.
Portable versions of programs.
  • Cracks.
License activators.

.wq2k Files Virus – Infection Activity

The .wq2k files ransomware is the type of virus you do not want on your computer. The ransomware’s main purpose is to encrypt the files on your computer and render them unable to be opened.

To reach it’s end goal, the ransomware may create multiple different files on the computers of users. The files can be dropped in the following Windows directories:



  • %Local%

Once the files have been dropped on the computer of the victim, the malware may begin to perform some of the following malicious activities on the victimised PC:

  • Create mutexes.
  • Interfere with the Registry Editor.
  • Copy files from the victim PC.
  • Log keystrokes.
  • Obtain system data from the compromised computer.
  • Steal files from the infected machine.
  • Download files and update itself.

Furthermore, the .wq2k malware could also heavily modify the Windows Registry Editor by create registry values in the Run and RunOnce sub-keys of the infected computer. This is done in order to make the malicious files of the ransomware run automatically when the system boots.

In addition to this, the .wq2k file ransomware may also disable Windows Recovery and delete the shadow volume copies of the compromised computer with the main goal of disabling any change of the victims recovering their files via the default Windows methods. To reach its end goal, the .wq2k file ransomware may trigger an infection module, whose main purpose is to activate commands as an administrator that will:

Disable Windows Recovery.
Disable the Shadow Copy Services.
Stop the Windows Backup Services.

The .wq2k files virus may also drop it’s ransom readme file which aims to extort users by asking them to pay ransom to the cyber-criminals in order to get their important files back. The file is called Readme.txt and has the following message to victims:

Your files were encrypted with AES-256.
Ask how to restore your files by email artilkilin@tuta.io.
Use only gmail.com, yahoo.com, protonmail.com.
Messages written from other mail services we can not get.
We always respond to messages. If there is no answer within 24 hours, then write us with another email service.
[OR] If within 24 hours you have not received a response, you need to follow the following instructions:
a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en
b) From the TOR browser, follow the link: torbox3uiot6wchz.onion
c) Register your e-mail (Sign Up)
d) Write us on e-mail: ssananunak1987@torbox3uiot6wchz.onion
ATTENTION: e-mail (ssananunak1987@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion
Any actions on your part over encrypted files can damage them. Be sure to make backups!
In the message write us this ID:

.wq2k Files Virus – Encryption

The .wq2k files virus aims to encrypt only the files that you use often on your computer. The ransomware looks for the files, based on their file types and it may target the following types of data:

  • Documents.
  • Images.

  • Audio files.
  • Videos.
  • Archives.
  • Virtual Drive files.

The .wq2k malware strains has been pre-configured in order to skip the files, essential for you to use your Windows, with the main goal of enabling you to use your PC to pay the ransom to the criminals.

When the .wq2k ransomware variant of B2DR encrypts files on the computers of victims, the malware may create copies of the original files and encrypt the copies, shortly after which leave behind the original files deleted completely with no chance to recover them traditionally.

In addition to this, the .wq2k ransomware virus leaves the encrypted files with the e-mail of the criminals and the .wq2k suffix. The outcome of this is that the encrypted files are stripped of their file icon and start to appear like the following example:

→ New Word Document.docx.artilkilin@tuta.io.wq2k

Remove .wq2k Ransomware and Restore Your Files

To remove the .wq2k ransomware virus, we would suggest that you follow the removal instructions that are underneath this article. They have been created with the main goal to help you out with manual and automatic removal steps. If the manual steps fail to help, we would suggest that you try and follow the latter two removal steps which include a more automatic approach for the removal. For maximum effectiveness, security experts strongly advise using an advanced anti malware software. Such programs are created to help detect and remove malicious files belonging to such ransomware viruses plus ensure that your computer will remain protected against future infections as well.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share