Qqmt ransomware (virus) - Recovery Instructions Included

What is Qqmt ransomware?

Qqmt ransomware demands almost a thousand dollars to unlock files – do not give into it

The infection is asking for payments in exchange for the alleged decryption

Qqmt ransomware has been first spotted in the first half of August 2022. Belonging to the prominent ransomware family known as Djvu, this virus specializes in money extortion, just like its predecessors did. The way to reach that goal, cybercriminals to program malware to encrypt all personal files on the system with the help of a sophisticated encryption algorithm RSA, which prevents users from modifying or even opening their pictures, databases, or other personal files.

During the encryption^[1] process, each of the files acquires a unique extension – .qqmt, which also represents the name of this variant. Data is also stripped of the default icons, and only a blank sheet is visible instead. Unfortunately, this block affects files on every partition or hard/SSD drive (or other storage devices) that was connected to the PC at the time of the infection.

As soon as the malware finishes the encryption, it delivers a ransom note _readme.txt, which explains to users what has happened to their files and how to restore them. This “favor” is not free, and cybercriminals demand $490/$980 (depending on how fast you pay) in bitcoin. Victims are also provided with contact emails support@bestyourmail.ch and supportsys@airmail.cc to contact the attackers to negotiate the whole process, which we don't recommend doing.

Why paying is a bad idea

When users get infected with ransomware for the very first time, they might straight out panic simply because they are not quite sure what is going on – they can't open their very important documents and other files. All the questions are quickly answered as soon as the ransom note pops up on their screen, and it reads as follows:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-sac7bmVIKJ
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
support@bestyourmail.ch

Reserve e-mail address to contact us:
supportsys@airmail.cc

Your personal ID:

Djvu variants have been using this precise ransom note for many years – only the mails vary slightly. It is worth noting that the 50% discount is promised to users to encourage them to pay the ransom faster, as it is still worth it for cybercriminals to get a smaller sum rather than getting none of it.

However, we strongly advise against paying. First of all, there is never a guarantee that crooks will deliver the promised decryptor, making victims lose money alongside their data. There were instances when ransomware victims were even sent a malicious tool that, once launched, would infect the system with other malware.

Finally, there is also an aspect that most users forget – cybercriminals are more likely to continue to infect more people because their illegal business practices clearly work. Thus, we strongly advise avoiding paying the ransom and instead relying on alternative methods for data recovery.

File-virus is the threat that locks data and asks payments for the recovery that might not happen

A quick malware removal solution

There is no doubt about it that Qqmt virus removal should be your top priority. Djvu variants might not remain on the system after the data encryption process is complete, but they may populate additional modules that could start stealing personal information such as passwords, keystrokes, banking details, etc. Additionally, every ransomware might be distributed along with other dangerous viruses, including data stealers or banking trojans.^[2]

Therefore, you should download and install SpyHunter 5Combo Cleaner or Malwarebytes security software and perform a full system scan with it. Make sure you bring anti-malware to its latest version before you do, however. It is also important to note that you should disconnect your machine from the internet and network, if applicable.

If malware is meddling with the removal process, you should instead access Safe Mode^[3] and perform a full system scan from there. If you need help accessing it, use the following instructions:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

Qqmt file recovery without paying

Files encrypted by ransomware are not permanently damaged, which means that they might be recovered, although special tools are required for that. To be more precise, a unique key is needed – there is simply no way of guessing it, as it consists of a long string of alphanumeric characters. The problem is that the key is stored by cybercriminals behind the infection, which is precisely how they extort money from users.

A more common misconception is that ransomware-encrypted files would be restored to their original state once a full system scan is performed, which is not the case at all. In order to restore .qqmt files, you will have to try several methods we provide below, and we recommend starting from the specialized tool provided by the security team at Emsisoft. Keep in mind that this will only work if your files are locked with an offline ID.

• Download the app from the official Emsisoft website.
• After pressing the Download button, a small pop-up at the bottom titled decrypt_STOPDjvu.exe should show up – click it.
  
• If User Account Control (UAC) message shows up, press Yes.
• Agree to License Terms by pressing Yes.
  
  
• After Disclaimer shows up, press OK.
• The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.
  
• Press Decrypt.
  
  

From here, there are three available outcomes:

1. “Decrypted!” will be shown under files decrypted successfully – they are now usable again.
2. “Error: Unable to decrypt file with ID:” means that the keys for this version of the virus have not yet been retrieved, so you should try later.
3. “This ID appears to be an online ID, decryption is impossible” – you are unable to decrypt files with this tool.

If your files were encrypted with an online ID, Emsisoft's decryptor would not work for you, unfortunately. However, you should not lose hope yet and try third-party data recovery software instead. While these apps can't always restore files encrypted by ransomware, sometimes they might be successful in restoring at least some data.

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders which you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

System remediation

Regardless of whether or not you managed to recover Qqmt files, you should take care of your system's health. First of all, we recommend you find and delete the “hosts” file located on your computer – this will ensure that certain security-related websites are no longer blocked for you. For that, access the C:\Windows\System32\drivers\etc\ directory and press Shift+Del on your keyboard after marking the “hosts” file. Windows will automatically recreate it.

We also advise running a scan with powerful repair software that would fix any system damage that could have been caused by ransomware:

• Download the application by clicking on the link above
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.