Self-replicating qkG ransomware targets only Word documents

by Linas Kiguolis - - 2017-11-23

Document-encrypting qkG virus exploits VBA macro

qkG exploits VBA macro

Experts have recently found an entirely different variant of the ransomware — qkG virus^[1]. It exploits VBA macros to encrypt Office documents and corrupts Microsoft Word Normal template alongside.

Cybersecurity experts have discovered it uploaded on VirusTotal from a Vietnamese IP address at the end of November. Luckily, this file-encrypting virus is still in a development stage and hasn’t affected any systems of a regular computer user.

According to IT technicians “It's also one of the few that uncommonly employs malicious macro codes, unlike the usual families that use macros mainly to download the ransomware.” Besides, this malware encrypts only documents which are opened at that time^[2].

Crypto-malware infuses a malicious code to the normal.dot template

Developers have created this computer infection to spread via compromised Word documents. Once the would-be victim opens the file and enables editing function, he or she triggers the infiltration of the malicious VBA code on normal.dot template^[3].

qkG is a tricky ransomware since it relies on the onClose function to launch the bogus macro code only after the Word document is closed. Malware uses XOR cipher to encrypt the targeted data and provides a ransom note in the document instead of dropping a separate file.

Besides, no file extension is appended to the corrupted data, and the file-name is left unchanged. The ransom note says the following:

I’m QkG@PTM17! by TNA@MHT-TT2
Send $300 to the BTC Address: 14zA1NdTgtesLWthysLQQtsuszFbpydg
Contact Email: *********
7800320014003400580036001700380068003000

While the Microsoft Word Normal template is used to open all blank documents, qkG malware infects it and infuses a copy of itself^[4]. In simple terms, it means that whenever the would-be victim creates a new document, the ransomware would encrypt its data as well.

Therefore, experts worry about the possible large-scale infection if people would decide to share the documents containing a malicious macro script with other computer users. It would result in a continuous ransomware drive-by download distribution.

Vietnamese developers might be inspired by Locky ransomware contrivers

While the author of the qkG ransomware identifies itself as TNA-MHT-TT2, some analysts discovered that the code malware uses involved the Vietnamese language^[5]. Thus, it is quite evident that he or she is from Vietnam.

Experts believe that .lukitus version of the infamous Locky ransomware might have served as an inspirational source to develop a new file-encrypting virus which also employs onClose VBA macro.

Since qkG virus is still under development, we strongly advise you to take precautionary measures before it may be misused for malevolent purposes.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Alice Woods. QkG ransomware virus. How to remove? (Uninstall guide). 2-Spyware. Security and Spyware News.
^ Robert Abel. qkG Filecoder ransomware exploits macros and self-replicates. SC Magazine. Breaking News on Cybersecurity.
^ qkG Filecoder. Self-Replicating, Document-Encrypting Ransomware. Trend Micro Blog. Security News, Views and Opinions.
^ Hyacinth Mascarenhas. What is qkG ransomware? New self-replicating malware uses malicious macros to encrypt Word documents. International Business Times. Business News, Financial news.
^ Naveen Goud. Trend Micro discovers ransomware which encrypts only Word Documents. Cybersecurity Insiders. IT News.