Geek's Advice

NQSQ ransomware infects computers to encrypt all files on them for a ransom

NQSQ ransomware is a malicious file-encrypting virus originating from STOP/DJVU ransomware family. Using Salsa 20 algorithm, the malware encrypts all victim’s personal files to lock them and make them inaccessible. The virus has a tendency to mark affected files with additional .nqsq file extension to make them stand out. For instance, file originally called 1.jpg appears as 1.jpg.nqsq after the cyber attack. In every folder, the ransomware saves a file called _readme.txt, which is known as the “ransom note.” It delivers a brief message from the malware operators who suggest that the price of NQSQ decryption tool ranges between $490-$980, based on whether the victim manages to write to the attackers within 72 hours or later. The attackers expect the payment to be made in cryptocurrency (most likely popular one like Bitcoin). The email contains two criminals’ email addresses – supporthelp@airmail.cc and alternative one – manager@mailtemp.ch.

NQSQ ransomware virus was developed with sole aim to illegally take control of victim’s files, making them impossible to open, view, or edit in any way. This is done with a help of cryptography algorithms that are typically used to secure end-to-end information transmission or military-grade secrets. The ransomware works by encrypting the very first 150 KB of a file and then moving to another one, which keeps the entire system attack short and effective. The crooks behind this ransomware offer to sell the file decryption key and software for the victim for a specified price. This is nothing else but pure extortion as victim’s files are taken hostage at this point.

If you have fallen victim to ransomware attack, you can try a couple of methods to recover or repair part of encrypted data. Ideally, you should use a data backup that you created before the ransomware attack; unfortunately, not many people have a habit of creating data backups regularly. Therefore, we have provided a lengthy guide on using available decryption tools as well as Media_Repair tool by DiskTuna which can help you to restore some audio and video files with as little data loss as possible. You can find a shortened guide below this article or see an in-depth tutorial here.

The _readme.txt note left by NQSQ ransomware threatens the victim by stating that all files such as pictures, videos, documents, archives and other data formats have been encrypted with the strongest cryptography algorithm. The note says that victim can still recover all data and access it like usual, however, the attackers expect the victim to pay for data decryption tool and key. The ransomware operators also suggest sending one encrypted file to them as an attachment to provided emails, offering a “test decryption” service to prove that their words can be trusted and that they can actually restore locked files. The note also says that the test decryption file should not contain any valuable information or they won’t decrypt it. The reason behind this is that the attackers are afraid the victim won’t be considering making the transaction after valuable information is recovered.

The ransom note provides conditions regarding the decryption service price as well. The attackers offer the victim a 50% discount if one writes to them within 72 hours from the initial infection timestamp. This means that the decryption would cost $490. However, if the victim delays, the attackers will ask to pay full price, which is $980. Although it isn’t discussed in the _readme.txt file, once contacted, the criminals will ask to make a transaction to their virtual wallet address. Of course, they will only accept cryptocurrency based payments as this helps to keep them untraceable.

Geek’s Advice team members, as well as other cybersecurity experts and FBI do not recommend paying a ransom to cybercriminals. Here are some of the reasons why it is wrongful to pay extortionists of such kind:

• No matter how much money you transfer to cybercriminals, there are no guarantees that you will get your files back. Many cybercriminals disappear into the thin air after receiving the money.
• By paying the ransom, you help to keep the ransomware business active. If people stopped paying the ransoms, there would be no motivation for the criminals to continue their operations.
• Paying a ransom motivates the attackers to initiate even more cyberattacks and infect more computers globally. That said, millions of dollars collected from ransomware victims each year also lures other people to join Ransomware-As-A-Service affiliate scheme.
• Beware that STOP/DJVU ransomware variants such as NQSQ virus have a tendency to infect target machines with AZORULT Trojan, which is an infamous Remote Access Trojan used to collect sensitive information from the victim’s computer remotely. Using collected passwords and other private details, cybercriminals can continue to blackmail you and extort you further.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Modus operandi of this ransomware strain

NQSQ ransomware virus usually arrives in a form of a illegal pirated copy of software, which can be downloaded via various peer-to-peer file sharing agents. Once executed, it runs a couple of build executables that prepare for the actual attack by disabling security software (if possible), checking victim’s geolocation, collecting software and hardware info about the computer and a set of other details. It must be noted that this virus has a country exception list (it won’t launch the final payload if victim’s country matches one from the exception list). Once the initial preparations are complete, the virus tries to connect to its Command&Control server to get a unique online encryption key for the machine. It usually saves it to a file called bowsakkdestx.txt along with victim’s ID. The malware also saves victim’s ID or several of them to a file named PersonalID.txt located in C:\SystemID.

However, in situation where the virus fails to get the online key for encryption, it employs a hardcoded offline encryption key. You can identify which key was used in your key by looking at personal ID (available in PersonalID.txt file or at the end of the _readme.txt file). If this string ends in t1, it means that your files were encrypted using offline key. In such case, we strongly recommend waiting until a decryption key gets uploaded to the official decryption tool as explained at the end of this article or here.

As mentioned earlier, the virus then starts encrypting all of victim’s files, using the chosen key. During the attack, the ransomware modifies the beginning of each file and also marks affected files by appending .nqsq extension to each of them. Additionally, the virus composes ransom notes called _readme.txt (inserts victim’s ID into each of them) and saves them in every visited file directory. It must be said that the malware tends to bypass system folders to keep the operating system intact and running smoothly.

To deceive the victim and justify the sudden system slowdown, the ransomware tends to launch a fake Windows update prompt on the screen. Other modifications done to the system include removal of Volume Shadow Copies and modification of Windows HOSTS file. The Shadow Copies are deleted using this Command Line task:

^{vssadmin.exe Delete Shadows /All /Quiet}

This prevents the victim from using System Restore points to recover part of the data for free. Speaking of modifications to Windows HOSTS file, the ransomware adds a list of domains to block in it. These websites are known to publish cybersecurity-related content, information on removing computer viruses, or simply user forums where similar topics are discussed. The virus maps these domains to victim’s localhost IP, therefore whenever the victim attempts to visit one of them, DNS_PROBE_FINISHED_NXDOMAIN error will appear in the web browser.

Finally, this ransomware might also drop AZORULT malware on the infected Windows machine. It is an infamous Remote Access Trojan which can be used to perform various illegal information-collecting activities on victim’s computer, such as:

• Downloading various computer viruses and executing them on the system;
• Stealing login credentials for various programs, such as Telegram, Steam and other programs;
• Looking at lists of folder files or deleting them from the victim’s computer;
• Stealing cryptocurrency wallets and their contents;
• Stealing browser-saved passwords, browser cookies, browsing history and more.

To protect yourself and your computer from further damage, we strongly recommend that you remove NQSQ ransomware virus as soon as possible. One of the best ways to do it is to use a robust security software while in Safe Mode with Networking. If you don’t have one already, we strongly recommend using INTEGO Antivirus which has a VB100 certification. Afterwards, you might want to download RESTORO to scan your system and repair virus damage to Windows OS files caused by malware.

Ransomware Summary

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware distribution explained: how to avoid getting infected

Ransomware-type threats are extremely prevalent nowadays, so it is essential to know their distribution techniques to avoid getting infected. While more sophisticated attacks rely on exploit kits, the majority of threats targeting home computer users are distributed via malicious email attachments or untrustworthy online downloads.

NQSQ ransomware arises from STOP/DJVU malware family and these viruses are known to be distributed via malicious online downloads mainly. To be precise, victims report getting infected after attempts to install pirated software copies downloaded via torrent clients. It seems that cybercriminals behind this ransomware tend to inject malicious scripts into software cracks and key generators allegedly designed to activate these premium programs:

• Adobe Photoshop;
• Corel Draw;
• Tenorshare 4ukey;
• League of Legends;
• Cubase;
• Adobe Illustrator;
• Windows activation tools such as KMSPico.

Computer users who download illegal software copies face extremely high risk of falling prey to ransomware attacks. Cybercriminals know the demand for free premium software versions, therefore they inject malicious scripts into such files and make them available on various torrent libraries online. Such torrents can be downloaded using peer-to-peer file sharing clients such as uTorrent, eMule and others. These programs do not check for malware in files, however, what is even worse is that computer users often ignore their antivirus software warnings and proceed to open the file because of popular misconception that security software marks all “cracks” as malicious.

Sadly, pirated software copies are closely linked with malware infections. Even if you do not notice an immediate sign of computer infection, please remember that there are types of malware that is designed to operate silently (such as cryptocurrency miners, Trojans and others) or that the ransomware inside is set to trigger launch after several days (the attackers can set a time trigger to infectious programs so they would launch after a couple of days or weeks).

That said, we strongly recommend you only to get desired software copies from official sources only. Remember that a legitimate software license hardly ever costs more than hefty ransom amounts demanded by cybercriminals. Besides, you should support software developers who work hard to provide you with useful software. Trying to bypass paying them can result in much higher expenses.

Another popular way to distribute ransomware is to attach a specifically crafted document to spam emails and send them to numerous recipients at the same time. Cybercriminals tend to use email address listings made available in dark web forums. Most of the time, the attackers pretend to be writing in the name of a reputable company, colleague, or someone you know. The message is usually short and demands to open attached contents immediately. The malicious attachments may be named somewhat like “invoice,” “payment information/details,” “parcel tracking details” or “order information.” To create an even stronger effect, the attackers tend to spoof their email address. Since it gets hard to identify phishing emails nowadays, we strongly recommend you to avoid opening emails that you think you weren’t supposed to receive.

Victims of STOP/DJVU ransomware variants such as NQSQ virus should be extremely careful and avoid downloading suspicious file decryption tools as these can carry another ransomware strain payload. For example, another cyber-extortion virus known under a name of ZORAB was noticed hiding in fake STOP/DJVU decryption tools. If you fall into the trap and open such fake decryption tool, your files will get double-encrypted.

Remove NQSQ Ransomware Virus and Decrypt Your Files

If your computer got compromised by the described ransomware variant and now your files are encrypted, the first thing we recommend doing is eliminating malware from your PC. The easiest way to remove NQSQ ransomware virus is booting in Safe Mode with Networking and running a reputable security software such as INTEGO Antivirus to identify and delete existing threats automatically. The software we recommend is well-reviewed and has VB100 certification, which indicates that the antivirus has top-notch malware detection rate. Afterwards, you might want to download RESTORO to repair damage on Windows OS files caused by the virus.

If you have completed NQSQ ransomware virus removal, please read the following recommendations:

• Get in touch with your local law enforcement authorities and report an Internet crime case. You can find some references below this guide.
• Use data backup to restore the majority of your files.
• Follow the given steps to decrypt or repair files affected by STOP/DJVU versions.
• We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.