Severity scale:  
  (98/100)

QkG ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware
12

qkG encrypts MS Word files only

qkG ransomware virus image

qkG ransomware is a unique example of file-encrypting malware. It is written in Visual Basic for Applications (VBA) macro and is designed to encrypt Microsoft Word documents only using XOR cryptography.[1] The virus has been first spotted on the 12th of November.

According to Trend Micro blog post,[2] the first samples of the ransomware was uploaded from Vietnam. However, the active distribution has not started yet, and it’s still in development stage. However, security experts think that qkG virus might be an experimental ransomware.

However, if you ever encounter this cyber threat, you should not transfer demanded $300 in Bitcoins. You should remove qkG from the computer with Reimage or another reputable malware removal program to keep the system virus-free.

The analysis of the virus revealed some unique features of the qkG:

  • It encrypts only one type of file – MS Word documents. Typically, ransomware-type cyber threats targets as much as possible popular file types.
  • Malware employs Auto Close VBA macro – the same technique has been used by a Lukitus, one of the latest versions of Locky ransomware. This feature allows executing malicious macro when victims close the document.
  • The virus encrypts the content of the infected document, but leave the file structure and filename the same.
  • It is designed to corrupt only ActiveDocument – only opened Word files will be encrypted.
  • Ransomware can be activated from the infected document on a clean computer.

The crypto-malware program is most likely to spread via spam emails that include Word documents with malicious VBA code. Once a user opens it, it asks to enable editing feature, and if a user agrees to do it, the malware is dropped on the system. Then qkG modifies Windows Registry keys and lower’s Word’ security settings in order to activate malicious macro commands without interruptions and starts corrupting files.

The unseen data encryption procedure

On the affected device ransomware injects malicious code to normal.dot file that is a basic Word template. qkG malware also adds Document_Open() autostart macro command to the targeted document and makes a copy of itself. Then crypto-malware uses XOR cipher and the same key to corrupt Word files. The encryption procedure starts when a victim closes the document.

At the end of the each compromised document, the virus adds a short ransom note that includes the main information: the size of the ransom and Bitcoin wallet address. Victims are asked to pay the ransom, and most likely they receive qkG decryptor via email. However, researchers tell that currently, the malware uses the same hardcoded password: “I’m QkG@PTM17! by TNA@MHT-TT2”.

Additionally, malware is self-replicating. It means that it makes a copy of itself to normal.dot file and can spread with the help of it. It means that if an encrypted document is opened on non-infected PC or laptop, the malicious program sneaks inside it and starts its activities.

Therefore, if your colleague gives you a USB with a bunch of Word files or sends you an important document, first of all, you should scan it with anti-virus and make sure that its safe to open. Additionally, you will have to spend time with qkG removal and data recovery procedure.

The Word-encrypting malware tricks users into opening malicious document

At the moment of writing, the major distribution campaign hasn’t started yet. However, researchers assume that qkG is most likely spread via malicious spam emails and with the help of social engineering tricks people into downloading Word document with malicious macro commands.

The content of the e-letter might seem legitimate and express the urge to open the attachment. It might be presented as invoice, statement or other important documents. When a user opens it, the malicious Word file asks to enable macros to view the content. Hitting the “Enable Editing” button runs VBA code and installs malware on the system.

Even though malware is not actively spread yet, cyber security experts from Les Virus[3] suggest staying vigilant with received emails. Before opening email attachment always make sure that you can trust the sender and the provided issue is real.

Removal of the qkG

qkG removal is performed the same way as other crypto-viruses. You have to employ a reputable malware removal program, such as Reimage or Malwarebytes Anti Malware and eliminate this cyber threat automatically. Attempts to eliminate this parasite manually may lead to irreparable damage to the system. Thus, you should not risk.

However, the virus might block security software. In order to bypass these restrictions, you have to reboot the computer to the Safe Mode with Networking or use System Restore method. Both methods are explained below and help you to remove qkG automatically.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove qkG ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall qkG ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual qkG virus Removal Guide:

Remove qkG using Safe Mode with Networking

Activate security program by rebooting the system to Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove qkG

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete qkG removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove qkG using System Restore

System Restore method also help to disable the virus and run automatic elimination

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of qkG. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that qkG removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove qkG from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Currently, corrupted Word files can be recovered with the password  “I’m QkG@PTM17! by TNA@MHT-TT2”. However, if you need additional solutions, try the methods below.

If your files are encrypted by qkG, you can use several methods to restore them:

Data Recovery Pro helps to restore corrupted files

The program is originally created for recovering deleted or corrupted files. However, it might also be helpful after ransomware attack.

Take advantage of the Windows Previous Versions feature

This feature works if System Restore was enabled before the qkG attack. Follow these steps to copy individual versions of the corrupted Word files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer

Malware is not likely to delete Shadow Volume Copies yet. Thus, you can try to recover files with ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from qkG and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References