This late September 2018 malware analyst Karsten Hahn Share on his Twitter a new discovery of a cryptovirus called Qinynore ransomware. This virus was noticed using the .anonymous extension to mark infected files and asking for 400€ as a ransom in Bitcoins (0.68266375 BTC). Soon enough it was figured that this is just another Hidden Tear copy. The main ransom note comes in a plain black-on-white .trf text file followed by a dark desktop wallpaper and Guy Fawkes mask with green letter continuing the ransom note’s explanation.
Qinynore Ransomware quicklinks
- How does Qinynore ransomware work
- How did I end up with Qinynore virus
- How to remove Qinynore virus and restore the files
- Automatic Malware removal tools
- Can you delete Qinynore ransomware yourself
- How to recover Qinynore ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Qinynore ransomware encrypted files
Ransomware is the type of malware that should be avoided the most because of the sometimes irreversible damage to the system, yet if you have become a victim of Qinynore crypto demanding virus then don’t rust to pay the crooks, because 2-viruses team may have a solution not only how to delete this notorious threat but also how restore locked files. If you would like to learn more, please, keep reading this article to learn our tricks.
How does Qinynore ransomware work
Qinynore ransomware is a crypto locking virus, based on Hidden Tear open-source sample. That means that although the virus has all the capacity to encrypt your files and ask for a ransom, it works just like any other copy – IT.Books, .good, ShutUpAndDance, AndreaGalli, PooleZoor, Sorry, Horros. Hidden Tear is widely liked by script kids, who do not need to know much about computers to make a crypto locker and gain money out of it. All you have to do is to change ransom note and amount, extension, contact info, picture and create macros for spreading. These exterior features are basically the main differences between each variant. You can see the technical information of Qinynore ransomware on Virustotal.com.
Once the Qinynore threat is inside the computer, just like Jack of all trades, it performs tons of various functions just to survive in the system but still stay unnoticed by the antivirus. It modifies Windows registry keys, alters ‘c:\autoexec.bat’ to boot up with each system restart, and looks for files that are pictures, videos, documents and etc. (which are not System Files) so that they could be encrypted. Then runs the AES encrypting cipher, making precious data unavailable. You can recognize these files by the extension that Qinynore ransomware appends – .anonymous (Infected file ‘yourfilesname.jpg’ becomes ‘yourfilesname.jpg.anonymous’). After that, it drops the ransom note called ‘YOU_MUST_READ_ME.rtf‘ and ‘lol.jpg’ wallpaper to explain what happened to your PC and ask for a ransom of 400€ to get your locked files back. And all of it happens in A matter of seconds.
Files has been encrypted with Qinynore ransomware, a Russian
Hacker organization in association with anonymous.
Send me some bitcoins or say goodbye to your files
Note: Don’t try to be smart, if you are seeing this it means
that even if your antivirus detect the virus the files are already encryped.
Even If you can’t see time is still counting, do not forget, 5
hours to pay since you got infected
First lol.jpg wallpaper:
NOTE: IF YOU TRY TO SHUTDOWN OR REMOVE THIS MALWARE
FROM YOUR PC YOU WON T BE ABLE TO RECOVER YOUR FILES!!!
WE ARE ANONYMOUS.
WE ARE LEGION.
WE DO NOT FORGET.
WE DO NOT FORGIVE.
YOU HAVE 5 HOURS TO PAY 0,68266375 BITCOINS(400€)
TO THIS ADRESS: 940927654672984
OR YOU WON’T GET YOUR FILES BACK
Second wallpaper, but same variant:
We are Anonymous.
We Are Legion.
We do not forget.
We do not forgive.
You have 48 hours to pay
0.68266375 Bitcoins = 400 € to this adress:
Or you won’t get your files back.
There is no proof if Qinynore ransomware actually gives you 5 hours to pay the ransom and later deletes the unique decryption key, or crooks are just trying to scare the victim by bluffing (which is the most probable case), yet we still Do not advice to pay them any money, anyway. You should never trust crooks no matter what they are implying to you, but especially because Qinynore ransomware virus does not even give you a contact email which you could contact giving your unique ID to know which unlocking key they need to retrieve and to what email to send that decryptor. We are sure that Qinynore virus developers would simply take your money and leave you with the same blocked data.
How did I end up with Qinynore virus
Qinynore ransomware has to be smart about getting into victims’ computers unnoticed in order to execute the infection fully. It has to not only find a way how to trick users into downloading and opening the malicious .exe file but also how to avoid being detected by the antivirus, firewall and etc. Years of practice showed that the most proficient way to spread and overcome all these obstacles is spreading through Microsoft Macros. They are not detected by the AV, and are fairly easy to use, even for someone with a minimal technical knowledge.
But in order to deliver these malware macros to someone’s computer, Qinynore virus developers have to create familiar looking files, that would not cause much suspicion. Tons of Socially engineered emails reach companies and personal PC users with malicious files. Ransomware is usually pretending to be a Resume, complaint, documents from the government, an invoice, hospital records or requests to review and confirm that your data is correct and many more. Believable phishing campaign is not only easy to create but tricks tons of gullible people who enable macros feature, once the downloaded bogus file says that the contents are only visible if Macros feature is on. That being said, take a look at our Ultimate security against ransomware guide.
How to remove Qinynore virus and restore the files
The recovery from the Qinynore virus infection cannot start with any step other than the removal. There is no way you can save your files if ransomware is still on the computer because even if you will succeed unlocking data, everything will get encrypted again. But all you need for the ultimate and successful removal is SpyHunter Just run a scan with these or any other trustworthy anti-spyware tool and soon enough Qinynore ransomware and all the malicious files will be hunted down and terminated. You will know for sure that after using Spyhunter your system will be clean and ready for the next step – encrypted file recovery.
Ransomware infections are considered to be one of the most dangerous for a reason – no matter if you remove the threat completely, your encrypted files will still stay locked, and the only ones that can undo the caused harm are the hackers who have the decryption key. There are plenty of different types of Ciphers, but, fortunately, Hidden Tear original ransomware chose to use the fast but not the tough one – AES, therefore all variants (Qinynore virus included) inherited the same encryption method, which is not that hard to crack. There is a special network security vendor project called ‘No More Ransom’ where you can get the Hidden Tear decryptor, which you could try since right now there is no specific Qinynore ransomware unlocking tool.
Automatic Malware removal tools
Can you delete Qinynore ransomware yourself
Manual cleaning of your system from Qinynore ransomware is definitely more challenging than just using a security tool, yet it is possible and if done correctly works as effective. Mind you, the full recovery of the system is only possible if you have recent backups (which hopefully were not deleted by the virus), if you don’t have them, then you can wipe out Qinynore virus by restoring Windows system from the scratch but all your files will be gone too. So pick carefully.
How to recover Qinynore ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Qinynore has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Qinynore ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Qinynore. You can check other tools here.
Step 3. Restore Qinynore ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Qinynore tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Qinynore ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.