Remove SSPQ Ransomware Virus (DECRYPT .sspq FILES)
SSPQ ransomware threatens to keep your files encrypted until you pay a ransom
Contents
SSPQ ransomware is a highly dangerous computer virus that originates from STOP/DJVU malware family. This virus is also known as a virtual extortion tool that is designed to encrypt files on user’s computer using RSA Salsa20 and mark them with .sspq extension. After the attack, all virus’ affected files have double extensions. For instance, file called 1.jpg becomes 1.jpg.sspq. The ransomware is also designed to create and save _readme.txt text notes in every system folder. This note is also known as a ‘ransom note’ from cybercriminals. It contains a short message from virus’ developers who explain that all files on the computer have been encrypted with the strongest algorithm and in order to recover these files, the victim has to pay a specified ransom. According to the note, the file decryption software costs $490 if the victim writes to the attackers within 3 days. Otherwise, the decryption price will be $980. The note contains two email addresses to contact the criminals: helpteam@mail.ch or helpmanager@airmail.cc.
The aim of this virus’ is to encrypt the victim’s personal files, thus making them inaccessible to the victim. Of course, the owner of these files (the victim) most likely wants to recover such data as information we store on our computers is obviously valuable to us – either related to work or personal matters. Therefore, the ransomware operators provide a ‘solution’: the victim has to pay the required sum of money to them to be able to open these files ever again. They even suggest a test decryption service, which allows restoring one small encrypted file for free.
However, the price for a fully functional SSPQ file decryption key ranges from $490 to $980, depending on how fast the victim reaches out to the criminals and pays. Clearly, the attackers want to receive the ransom in cryptocurrency to remain anonymous. Other payment methods will be refused by the virus’ developers.
Geek’s Advice team experts agree with FBI‘s suggestions regarding ransom payments: DO NOT PAY THE RANSOM. Some of the reasons why you shouldn’t are:
- Cybercriminals might disappear the same minute you complete the money transaction, so do not expect that paying the ransom automatically guarantees data recovery. Besides, even if they will provide you with decryption means, they might not function properly.
- Keep in mind that paying the ransom might be illegal in your country of residence.
- We do not support ransom payments because criminals already rake up millions in ransoms yearly. The amount of money they collect directly contributes to further operations and invites other people to join in.
- Variants of STOP/DJVU ransomware, including SSPQ virus, install AZORULT Trojan on compromised computers. This malware variant is capable of stealing all sorts of data from your computer that can possibly be used to blackmail the victim later. Do not waste your money on such sneaky attackers!
Ransomware damage explained: what really happened during the attack?
SSPQ ransomware starts the attack by launching a winupdate.exe process, a deceptive process that displays a fake pop-up imitating Windows update process. This pop-up is meant to trick the victim into thinking that a sudden system slowdown is caused by ongoing Windows updates and not some kind of suspicious virus on a computer. In other words, the virus tries to lower victim’s suspicion.
Next, the malware deletes Volume Shadow Copies from a computer and modifies Windows HOSTS file by adding a list of restricted domains to it. In general, all of these domains publish computer-related information as well as how-to guides, and it is believed that virus’ authors try to ban these domains so that the victim couldn’t reach any important information online. As a result, victims trying to access one of these sites directly or via search results will run into DNS_PROBE_FINISHED_NXDOMAIN error.
Finally, the ransomware encrypts all personal files on a computer using a military-grade encryption algorithm. The malware affects not the whole file but the very first 150KB of it, therefore some video and image files can still be restored with minimal data loss. On the other hand, other files will be corrupted in a way that they become impossible to open or view. For more information about STOP/DJVU file decryption, please refer to this guide.
Additional and severe damage caused by this ransomware is the installation of AZORULT Trojan. This threat is widely recognized as a powerful Remote Access Trojan (RAT) that can be used by attackers to remotely carry out tasks on the victim’s computer. To provide a better understanding of what an attacker can do with this virus, we provide a shortened list of its functionalities:
- View or delete files on victim’s computer;
- Download malware from external resources;
- Steal Steam, Telegram login credentials;
- Steal cryptocurrency wallets;
- Grab browser cookies, saved passwords, browsing history and more.
In order to stop attackers from exploiting you further, we cannot stress this enough how important it is to remove SSPQ ransomware virus and other malware as soon as possible. To ensure a professional computer cleanse, we recommend using instructions provided below this article. We also recommend using a trustworthy virus removal software. Our team also suggests downloading RESTORO to repair virus damage on the system.
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Ransomware Summary
| Name | SSPQ Ransomware Virus |
| Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
| Family | STOP/DJVU |
| Encryption type | RSA Salsa20 |
| Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
| Version | 304th |
| Extension | .sspq |
| Damage | The ransomware uses RSA Salsa20 to encrypt files on the victim’s computer. As a result, encrypted files become impossible to open. The malware appends additional extensions to encrypted files to make them more distinguishable. The ransomware deletes VSS and modifies Windows HOSTS file by adding a list of blocked Internet domains. Additionally, the virus drops _readme.txt notes in every computer folder. |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 in Bitcoin |
| Distribution | The ransomware spreads via illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
| Detection names | Trojan:Win32/Glupteba (Microsoft), Glupteba.Backdoor.Bruteforce.DDS (Malwarebytes), TR/AD.InstaBot.bfsbw (Avira), HEUR:Exploit.Win32.Shellcode.gen (Kaspersky), Trojan.GenericKD.36669904 (B)(Emsisoft), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal |
| Removal | Remove ransomware and associated threats from your PC using robust malware removal software such as INTEGO Antivirus. Next, we strongly advise scanning with RESTORO to repair virus damage on Windows OS files. |
Ransomware distribution techniques
Ransomware-type computer viruses are spread using quite traditional malware distribution techniques. When it comes to STOP/DJVU ransomware family, it seems to be spread using one main technique – illegal downloads. In fact, almost all victims affected by variants of this ransomware family appear to catch this PC infection after downloading software or game versions including cracks or keygens. Some of the victims also reported downloading the malicious payload via KMSPico variants. Most of these files can be brought to the computer via peer-to-peer file sharing agents (uTorrent, BitTorrent and others). These programs aren’t dangerous themselves, but they do not check files for malware at all.
The thing that worsens the situation and makes this distribution tactic extremely successful is that most computer users want to get paid software versions for free so bad so that they choose to ignore their security software alerts about potentially malicious downloads.
The main issue here is that many people believe that antivirus programs falsely mark all downloads including cracks as dangerous, therefore there is nothing to be afraid of. Unfortunately, these aren’t false-alarms, and even if you notice nothing suspicious after installing the cracked software, it doesn’t mean things are okay. For example, you might get infected with silent malware such as RAT or a cryptocurrency miner.
It goes without saying that if you want to keep your computer safe, you should only download programs from trustworthy and legitimate online sources. Therefore, if you are in need of specific software or game, make sure you go to its official developer’s website. All attempts to install paid products for free can end in a severe computer infection. Besides, software licenses rarely cost more than hefty ransom amounts demanded by cybercriminals.
A widely known ransomware distribution technique is closely tied to email spam campaigns. The attackers typically get access to leaked email databases and use these to send deceptive emails for thousands of potential victims. In most cases, the attackers pretend to be someone from well-known companies sending an important document for the victim, such as invoice or missing/pending payment details. Another important thing to say is that the attackers are capable of injecting malicious scripts in various file formats nowadays. The message in such deceptive emails typically urges to open the attached invoice/missing payment/document and reply back shortly. To strengthen victim’s trust in such email, the attackers leverage email spoofing techniques. You can learn more about these techniques here. We strongly recommend you to be cautious when it comes to email attachments and only interact with emails that you expected to receive. If you click on links or attachments without thinking, your computer might get severely infected in no time.
Finally, we must mention that other ransomware strains have been observed to distribute fake STOP/DJVU decryption tools hiding second ransomware payload in them. In other words, if you come across a deceptive decryption tool, opening it can execute second ransomware which will double-encrypt your files. One of such viruses that’s known for usage of this distribution technique is ZORAB.
Remove SSPQ ransomware virus and decrypt or repair your files
We kindly suggest you remove SSPQ ransomware virus from your computer using free instructions provided down below. To ensure a smooth virus’ removal procedure, stay careful and do not miss a step. Finally, we strongly recommend you to repair virus damage on your computer using software like RESTORO.
Once SSPQ virus removal, we recommend you to take the following actions:
- Report Internet crime case to an authority responsible for handling such incidents in your country. We have provided some references below this guide.
- Search for data backups if you have them. Make sure you use them only after completely deleting malware from your computer, or the backup might get encrypted as well.
- Use these instructions to decrypt or repair files affected by STOP/DJVU versions.
- We suggest changing all of your passwords (especially for accounts saved in browser) due to the Azorult’s activity.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
SSPQ ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove SSPQ ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove SSPQ ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt SSPQ files
Fix and open large SSPQ files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the SSPQ extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. SSPQ ransomware virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt SSPQ files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring SSPQ files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The SSPQ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your SSPQ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of SSPQ ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open SSPQ files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official SSPQ decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake SSPQ decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Recent Posts
Private Internet Access Review 2022: Fast, Secure & Cheap VPN
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
Remove XCBG Ransomware Virus (DECRYPT .xcbg FILES)
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
Remove BPQD Ransomware Virus (DECRYPT .bpqd FILES)
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
Remove KQGS Ransomware Virus (DECRYPT .kqgs FILES)
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
Remove VTYM Ransomware Virus (DECRYPT .vtym FILES)
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
Remove FOPA Ransomware Virus (DECRYPT .fopa FILES)
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
View Comments
Hi, my name is Eko from Indonesia
all my data in my laptop now with .sspq
I have try any way, but still can not open normally my data.
So should you help me with send me the key to open .sspq
Thank you for your help