QEWE ransomware virus attacks personal files to demand ransom in Bitcoin
Contents
QEWE ransomware (also known as QEWE file extension virus) is the 222th variant of STOP/DJVU, a file-encrypting malware which infects victim’s computer to restrict access to personal files and demands a ransom. The malicious program appends .qewe file extensions to affected data (images, videos, documents, and other file types), and drops ransom notes called _readme.txt. These notes demand contacting the cyber criminals via two provided emails and pay a ransom ranging from $490 to $980. The victim must purchase cryptocurrency – Bitcoin to pay the ransom. The stealthy ransomware also installs AZORult malware on the system, which is made to steal private login credentials.
Once installed on the target system, the ransomware disables security software and deletes volume shadow copies, preventing the victim from using these default Windows backups to restore data. During the attack, the malware showcases a fake Windows update screen to trick the victim into thinking that there is nothing suspicious, and that a simple OS update is making the system function slower. In addition, QEWE virus modifies Windows hosts file and adds various computer and Information Technology related websites to an exclusion list, making them inaccessible to the victim.
Meanwhile, QEWE file virus uses complex cryptography algorithms to render files on victim’s computer useless. In other words, once the malicious program encrypts them, the only tool that can revert them back to normal is the private decryption key held by criminals in their servers. To obtain this key, the victim must pay the ransom, as explained in the _readme.txt ransom note.
If you have been affected by this virus, we strongly encourage you to remove it using instructions provided below. To identify virus damage to your computer system and files, also to identify security, stability and hardware issues, we recommend scanning system with RESTORO.
Contents of the ransom note _readme.txt
QEWE ransomware seeks to force victims pay the ransom, and explains such demand in the text file it drops on every folder containing modified data. The ransom note is named _readme.txt and starts with a promising message “ATTENTION! Don’t worry, you can return all your files!“, which is then followed by a requirement to purchase a decryption tool along with unique key.
The note explains that the criminals can decrypt one file for free if the victim contacts them via helpdatarestore@firemail.cc or helpmanager@mail.ch, supplying the Personal ID specified in the ransom note.
Conditions for the ransom price are as follows: if the victim contacts criminals via 72 hours (3 full days) starting from the infection timestamp, the criminals lower the ransom price to $490, but if the victim contacts and pays them later, the ransom price skyrockets to $980 in Bitcoin.
Details regarding the encryption procedure and file recovery
QEWE ransomware virus is extremely dangerous as the way it encrypts the files are hardly reversible. However, you can always try tools like RESTORO to reverse virus damage on Windows operating system files.
When it comes to personal files encryption, the virus uses either online or offline encryption type. The difference is that with online encryption the malware obtains the individual encryption key from its remote server. When it comes to offline encryption, the virus uses an in-built key to corrupt files.
To recover your files, you should be using data backups created prior to the ransomware attack. You can also go to STOP Decryption guide and see if you can restore your files using the said tool.
Threat Summary
| Name | QEWE ransomware virus |
| Type | Ransomware; file-encrypting malware |
| Version | 222th version of STOP/DJVU |
| Ransom note | _readme.txt |
| Ransom price | $490 or $980 |
| Extension | .qewe file extension |
| Detection names | Win/malicious_confidence_100% (W), A Variant Of Win32/Kryptik.HCSI, Trojan-Ransom.Win32.Stop.mh and others (full list on VirusTotal) |
| Symptoms | The ransomware infects computer system via software cracks and similar illegal downloads, displays a fake Windows update screen. Meanwhile, it encrypts all files on the system and adds .qewe file extensions to them. Following successful data encryption, ransomware creates and saves ransom notes called _readme.txt, containing a money-demanding message from the attackers. |
| Contact emails | helpdatarestore@firemail.cc (primary email), helpmanager@mail.ch (secondary) |
| Associated processes | F820.tmp.exe or similar |
| Distribution | Spreads via software cracks, KMSPico, keygens and similar illegal downloads |
| Removal | To identify and repair virus damage on Windows OS files, we recommend using RESTORO |
| Post-removal steps | Restore files using data backups, or, if subject to offline encryption, wait for STOP Decrypter update. Change all of your passwords. |
Ransomware distribution: avoid installing virus that breaks your files
QEWE ransomware virus comes from DJVU ransomware family, and it means that its main distribution channel is illegal downloads. To be precise, these ransom-demanding and file-encrypting programs (such as LEZP, JOPE, OPQZ) spread via software cracks, keygens, illegal software license activation tools, such as KMSPico.
If you cannot resist the urge to download illegal files from the Internet, remember that you risk downloading a malicious payload alongside them, and without exceptional cybersecurity skills, most likely you won’t notice silent malware processes that wreak havoc on the system. The result will be loads of inaccessible files, such as work documents or precious memories, gone for good.
However, although STOP/DJVU ransomware variants are currently widely widespread infections, there are other ransomware variants, such as NEMTY, PHOBOS, or SODINOKIBI. In general, in order to avoid ransomware attacks, you should:
- Never download suspicious files from the Internet.
- Avoid clicking on email attachments or links without double-checking if they come from trustworthy sources.
- Keep a real-time protection on (if you’re using a security software).
- Backup your files regularly.
- Keep all your software up-to-date.
Remove QEWE ransomware virus for good
Remove QEWE ransomware virus to cleanse your system from malicious software remains, and protect the system from future attacks. Please use the guide given below. In addition, we recommend checking your system’s security status or repair virus damage on Windows OS files using RESTORO.
Once the QEWE ransomware removal is complete, you can continue using your computer safely. In addition, we recommend changing all of your passwords, including those saved in your browser, to protect your accounts from possible attacks. As mentioned before, the malware that comes along the described ransomware was capable to steal private login data, and that it is why we recommend changing the credentials now.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
QEWE Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove QEWE Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Thank you – I managed to restore some system files, although not all. Still better than nothing…