qkG ransomware - How to remove

qkG ransomware virus is a new and unique crypto-malware. It is activated when people download malicious Word file and click on the “Enable Editing” button. This refers to the strategy of hiding macros in seemingly harmless .doc files. If your are not familiar with Macro viruses, they can be explained as computer parasites that are included in documents and files. Frequently, Word, PDF or spreadsheets are used as the ones to carry malicious macros. As soon as a person enables editing, these VBA macros are executed. However, new studies have shown that malware could be executed even when macros are disabled. 

This qkG malware is fully based on the macro script. Usually, macros are applied only for the distribution-activation process. That is the classic technique for ransomware authors to choose, but QkG crypto-virus breaks this standard and functions entirely in VBA macros called qkG. However, the ransomware is still being developed, with new features being appended on a regular basis. Researchers are detecting different samples of this malware. While it is assumed that macros are dangerous to Windows operating systems, we have explained that even Mac OSs could suffer from their effects.

qkG virus explained: hidden macros, encryption of Word files, self-replication and many other details

qkG ransomware

A very interesting (and disturbing) strategy is exploited by qkG ransomware. It changes normal.dot template and inserts the virus (malicious macro) in it. Therefore, every time infected system launches Word program, the modified template will run the codes of ransomware and encrypt files that are opened at the moment (qkG). Surprisingly, if a person sends an infected document to other people, recipients’ computers will become infected with ransomware if the document is opened and editing is enabled. This is a rather clever trick to make people transmit this virus to one another.

There are more curious features of this qkG file-encoder. First of all, one of its samples only encrypted data at a specific day of the week and at a specific time. In addition to this, if this ransomware were to be distributed in the stage that it currently is, hackers would not be capable of decrypting files. The first versions of qkG crypto-virus were incomplete. Why? Well, they did not even feature Bitcoin wallet addresses for victims to send ransoms to.

When it comes to file encryption, it appears that the virus encodes data after files are closed. For file-encoding, the ransomware authors selected to use XOR cipher. Security researchers are assuming that ransomware might be originating from Vietnam since one of the payloads was “Tuyen bo chung Viet Nam – Hoa Ky – Infected.doc” (File). Another sample was delivered via 5 Rules for Snort.doc (VirusTotal).

Currently, if people would become infected with the QkG virus, they would be able to decrypt files with a code “I’m QkG@PTM17! by TNA@MHT-TT2” (MS). Encoded digital data is not expected to feature specific extensions, but their file names might change.

Helpful tips for fighting crypto-viruses like this qkG file-encoder

We should explain some methods of avoiding crypto-malware. First of all, do not download suspicious .doc files. If you receive such a file from an unknown source, immediately regard it as dangerous. If you launch it and enable editing, you will be allowing ransomware inside your device, just like in the case of qkG infection.

While the variant we discussed in this article is not compromising real users yet, it is being developed quickly. It could not be too long until the final sample reaches victims and encrypts their data. If this happens, security researchers will try to help victims recover their data.

You can become immune to ransomware viruses by using backup storages. Simply upload valuable information in these utilities. As a result, you won’t have to worry about data-encrypting viruses like qkG ransomware.

To protect yourself from malware, we think you must have an anti-malware program. Spyhunter repair tool is easy-to-use, efficient and quick. It will help you run regular scans and find out the truth about the health of your operating system.

How to recover qkG ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before qkG ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of qkG ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to qkG ransomware. You can check other tools here.  

Step 3. Restore qkG ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually qkG ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover qkG ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *