Contents
SSPQ ransomware is a highly dangerous computer virus that originates from STOP/DJVU malware family. This virus is also known as a virtual extortion tool that is designed to encrypt files on user’s computer using RSA Salsa20 and mark them with .sspq extension. After the attack, all virus’ affected files have double extensions. For instance, file called 1.jpg becomes 1.jpg.sspq. The ransomware is also designed to create and save _readme.txt text notes in every system folder. This note is also known as a ‘ransom note’ from cybercriminals. It contains a short message from virus’ developers who explain that all files on the computer have been encrypted with the strongest algorithm and in order to recover these files, the victim has to pay a specified ransom. According to the note, the file decryption software costs $490 if the victim writes to the attackers within 3 days. Otherwise, the decryption price will be $980. The note contains two email addresses to contact the criminals: helpteam@mail.ch or helpmanager@airmail.cc.
The aim of this virus’ is to encrypt the victim’s personal files, thus making them inaccessible to the victim. Of course, the owner of these files (the victim) most likely wants to recover such data as information we store on our computers is obviously valuable to us – either related to work or personal matters. Therefore, the ransomware operators provide a ‘solution’: the victim has to pay the required sum of money to them to be able to open these files ever again. They even suggest a test decryption service, which allows restoring one small encrypted file for free.
However, the price for a fully functional SSPQ file decryption key ranges from $490 to $980, depending on how fast the victim reaches out to the criminals and pays. Clearly, the attackers want to receive the ransom in cryptocurrency to remain anonymous. Other payment methods will be refused by the virus’ developers.
Geek’s Advice team experts agree with FBI‘s suggestions regarding ransom payments: DO NOT PAY THE RANSOM. Some of the reasons why you shouldn’t are:
SSPQ ransomware starts the attack by launching a winupdate.exe process, a deceptive process that displays a fake pop-up imitating Windows update process. This pop-up is meant to trick the victim into thinking that a sudden system slowdown is caused by ongoing Windows updates and not some kind of suspicious virus on a computer. In other words, the virus tries to lower victim’s suspicion.
Next, the malware deletes Volume Shadow Copies from a computer and modifies Windows HOSTS file by adding a list of restricted domains to it. In general, all of these domains publish computer-related information as well as how-to guides, and it is believed that virus’ authors try to ban these domains so that the victim couldn’t reach any important information online. As a result, victims trying to access one of these sites directly or via search results will run into DNS_PROBE_FINISHED_NXDOMAIN error.
Finally, the ransomware encrypts all personal files on a computer using a military-grade encryption algorithm. The malware affects not the whole file but the very first 150KB of it, therefore some video and image files can still be restored with minimal data loss. On the other hand, other files will be corrupted in a way that they become impossible to open or view. For more information about STOP/DJVU file decryption, please refer to this guide.
Additional and severe damage caused by this ransomware is the installation of AZORULT Trojan. This threat is widely recognized as a powerful Remote Access Trojan (RAT) that can be used by attackers to remotely carry out tasks on the victim’s computer. To provide a better understanding of what an attacker can do with this virus, we provide a shortened list of its functionalities:
In order to stop attackers from exploiting you further, we cannot stress this enough how important it is to remove SSPQ ransomware virus and other malware as soon as possible. To ensure a professional computer cleanse, we recommend using instructions provided below this article. We also recommend using a trustworthy virus removal software. Our team also suggests downloading RESTORO to repair virus damage on the system.
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Name | SSPQ Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 304th |
Extension | .sspq |
Damage | The ransomware uses RSA Salsa20 to encrypt files on the victim’s computer. As a result, encrypted files become impossible to open. The malware appends additional extensions to encrypted files to make them more distinguishable. The ransomware deletes VSS and modifies Windows HOSTS file by adding a list of blocked Internet domains. Additionally, the virus drops _readme.txt notes in every computer folder. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | The ransomware spreads via illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
Detection names | Trojan:Win32/Glupteba (Microsoft), Glupteba.Backdoor.Bruteforce.DDS (Malwarebytes), TR/AD.InstaBot.bfsbw (Avira), HEUR:Exploit.Win32.Shellcode.gen (Kaspersky), Trojan.GenericKD.36669904 (B)(Emsisoft), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal |
Removal | Remove ransomware and associated threats from your PC using robust malware removal software such as INTEGO Antivirus. Next, we strongly advise scanning with RESTORO to repair virus damage on Windows OS files. |
Ransomware-type computer viruses are spread using quite traditional malware distribution techniques. When it comes to STOP/DJVU ransomware family, it seems to be spread using one main technique – illegal downloads. In fact, almost all victims affected by variants of this ransomware family appear to catch this PC infection after downloading software or game versions including cracks or keygens. Some of the victims also reported downloading the malicious payload via KMSPico variants. Most of these files can be brought to the computer via peer-to-peer file sharing agents (uTorrent, BitTorrent and others). These programs aren’t dangerous themselves, but they do not check files for malware at all.
The thing that worsens the situation and makes this distribution tactic extremely successful is that most computer users want to get paid software versions for free so bad so that they choose to ignore their security software alerts about potentially malicious downloads.
The main issue here is that many people believe that antivirus programs falsely mark all downloads including cracks as dangerous, therefore there is nothing to be afraid of. Unfortunately, these aren’t false-alarms, and even if you notice nothing suspicious after installing the cracked software, it doesn’t mean things are okay. For example, you might get infected with silent malware such as RAT or a cryptocurrency miner.
It goes without saying that if you want to keep your computer safe, you should only download programs from trustworthy and legitimate online sources. Therefore, if you are in need of specific software or game, make sure you go to its official developer’s website. All attempts to install paid products for free can end in a severe computer infection. Besides, software licenses rarely cost more than hefty ransom amounts demanded by cybercriminals.
A widely known ransomware distribution technique is closely tied to email spam campaigns. The attackers typically get access to leaked email databases and use these to send deceptive emails for thousands of potential victims. In most cases, the attackers pretend to be someone from well-known companies sending an important document for the victim, such as invoice or missing/pending payment details. Another important thing to say is that the attackers are capable of injecting malicious scripts in various file formats nowadays. The message in such deceptive emails typically urges to open the attached invoice/missing payment/document and reply back shortly. To strengthen victim’s trust in such email, the attackers leverage email spoofing techniques. You can learn more about these techniques here. We strongly recommend you to be cautious when it comes to email attachments and only interact with emails that you expected to receive. If you click on links or attachments without thinking, your computer might get severely infected in no time.
Finally, we must mention that other ransomware strains have been observed to distribute fake STOP/DJVU decryption tools hiding second ransomware payload in them. In other words, if you come across a deceptive decryption tool, opening it can execute second ransomware which will double-encrypt your files. One of such viruses that’s known for usage of this distribution technique is ZORAB.
We kindly suggest you remove SSPQ ransomware virus from your computer using free instructions provided down below. To ensure a smooth virus’ removal procedure, stay careful and do not miss a step. Finally, we strongly recommend you to repair virus damage on your computer using software like RESTORO.
Once SSPQ virus removal, we recommend you to take the following actions:
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
SSPQ ransomware virus Removal Guidelines
Before you try to remove SSPQ ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove SSPQ ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. SSPQ ransomware virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt SSPQ files, follow the given tutorial.
The SSPQ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your SSPQ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of SSPQ ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open SSPQ files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official SSPQ decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake SSPQ decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.
View Comments
Hi, my name is Eko from Indonesia
all my data in my laptop now with .sspq
I have try any way, but still can not open normally my data.
So should you help me with send me the key to open .sspq
Thank you for your help