Geek's Advice

QEWE ransomware virus attacks personal files to demand ransom in Bitcoin

QEWE ransomware (also known as QEWE file extension virus) is the 222th variant of STOP/DJVU, a file-encrypting malware which infects victim’s computer to restrict access to personal files and demands a ransom. The malicious program appends .qewe file extensions to affected data (images, videos, documents, and other file types), and drops ransom notes called _readme.txt. These notes demand contacting the cyber criminals via two provided emails and pay a ransom ranging from $490 to $980. The victim must purchase cryptocurrency – Bitcoin to pay the ransom. The stealthy ransomware also installs AZORult malware on the system, which is made to steal private login credentials.

Once installed on the target system, the ransomware disables security software and deletes volume shadow copies, preventing the victim from using these default Windows backups to restore data. During the attack, the malware showcases a fake Windows update screen to trick the victim into thinking that there is nothing suspicious, and that a simple OS update is making the system function slower. In addition, QEWE virus modifies Windows hosts file and adds various computer and Information Technology related websites to an exclusion list, making them inaccessible to the victim.

Meanwhile, QEWE file virus uses complex cryptography algorithms to render files on victim’s computer useless. In other words, once the malicious program encrypts them, the only tool that can revert them back to normal is the private decryption key held by criminals in their servers. To obtain this key, the victim must pay the ransom, as explained in the _readme.txt ransom note.

If you have been affected by this virus, we strongly encourage you to remove it using instructions provided below. To identify virus damage to your computer system and files, also to identify security, stability and hardware issues, we recommend scanning system with RESTORO.

Contents of the ransom note _readme.txt

QEWE ransomware seeks to force victims pay the ransom, and explains such demand in the text file it drops on every folder containing modified data. The ransom note is named _readme.txt and starts with a promising message “ATTENTION! Don’t worry, you can return all your files!“, which is then followed by a requirement to purchase a decryption tool along with unique key.

The note explains that the criminals can decrypt one file for free if the victim contacts them via helpdatarestore@firemail.cc or helpmanager@mail.ch, supplying the Personal ID specified in the ransom note.

Conditions for the ransom price are as follows: if the victim contacts criminals via 72 hours (3 full days) starting from the infection timestamp, the criminals lower the ransom price to $490, but if the victim contacts and pays them later, the ransom price skyrockets to $980 in Bitcoin.

Details regarding the encryption procedure and file recovery

QEWE ransomware virus is extremely dangerous as the way it encrypts the files are hardly reversible. However, you can always try tools like RESTORO to reverse virus damage on Windows operating system files.

When it comes to personal files encryption, the virus uses either online or offline encryption type. The difference is that with online encryption the malware obtains the individual encryption key from its remote server. When it comes to offline encryption, the virus uses an in-built key to corrupt files.

To recover your files, you should be using data backups created prior to the ransomware attack. You can also go to STOP Decryption guide and see if you can restore your files using the said tool.

Threat Summary

Name	QEWE ransomware virus
Type	Ransomware; file-encrypting malware
Version	222th version of STOP/DJVU
Ransom note	_readme.txt
Ransom price	$490 or $980
Extension	.qewe file extension
Detection names	Win/malicious_confidence_100% (W), A Variant Of Win32/Kryptik.HCSI, Trojan-Ransom.Win32.Stop.mh and others (full list on VirusTotal)
Symptoms	The ransomware infects computer system via software cracks and similar illegal downloads, displays a fake Windows update screen. Meanwhile, it encrypts all files on the system and adds .qewe file extensions to them. Following successful data encryption, ransomware creates and saves ransom notes called _readme.txt, containing a money-demanding message from the attackers.
Contact emails	helpdatarestore@firemail.cc (primary email), helpmanager@mail.ch (secondary)
Associated processes	F820.tmp.exe or similar
Distribution	Spreads via software cracks, KMSPico, keygens and similar illegal downloads
Removal	To identify and repair virus damage on Windows OS files, we recommend using RESTORO
Post-removal steps	Restore files using data backups, or, if subject to offline encryption, wait for STOP Decrypter update. Change all of your passwords.

Ransomware distribution: avoid installing virus that breaks your files

QEWE ransomware virus comes from DJVU ransomware family, and it means that its main distribution channel is illegal downloads. To be precise, these ransom-demanding and file-encrypting programs (such as LEZP, JOPE, OPQZ) spread via software cracks, keygens, illegal software license activation tools, such as KMSPico.

If you cannot resist the urge to download illegal files from the Internet, remember that you risk downloading a malicious payload alongside them, and without exceptional cybersecurity skills, most likely you won’t notice silent malware processes that wreak havoc on the system. The result will be loads of inaccessible files, such as work documents or precious memories, gone for good.

However, although STOP/DJVU ransomware variants are currently widely widespread infections, there are other ransomware variants, such as NEMTY, PHOBOS, or SODINOKIBI. In general, in order to avoid ransomware attacks, you should:

• Never download suspicious files from the Internet.
• Avoid clicking on email attachments or links without double-checking if they come from trustworthy sources.
• Keep a real-time protection on (if you’re using a security software).
• Backup your files regularly.
• Keep all your software up-to-date.

Remove QEWE ransomware virus for good

Remove QEWE ransomware virus to cleanse your system from malicious software remains, and protect the system from future attacks. Please use the guide given below. In addition, we recommend checking your system’s security status or repair virus damage on Windows OS files using RESTORO.

Once the QEWE ransomware removal is complete, you can continue using your computer safely. In addition, we recommend changing all of your passwords, including those saved in your browser, to protect your accounts from possible attacks. As mentioned before, the malware that comes along the described ransomware was capable to steal private login data, and that it is why we recommend changing the credentials now.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.