At the beginning of August 2019, malware researchers spotted a brand-new ransomware threat. Its name is the Q1G Ransomware, and upon further inspection, this threat revealed to be a part of the Dharma Ransomware family. It is a common practice among cyber crooks to base one's ransomware threat on the code of already established file-encrypting Trojans.
Propagation and Encryption
Cybersecurity experts have been unable to determine with any certainty what infection vectors are involved in the propagation of the Q1G Ransomware. Some believe that the creators of this ransomware threat may be using some of the classic propagation methods – emails that contain infected attachments, bogus application updates, and pirated fake copies of legitimate software tools. If the Q1G Ransomware succeeds in compromising your PC, it will scan it to reveal the locations of the file, which this data-locking Trojan was programmed to target. Then this ransomware threat will begin encrypting all the targeted files. Upon locking a file, the Q1G Ransomware amends its filename. This Trojan adds a '.id-
The Ransom Note
Then, the Q1G Ransomware will drop a ransom note. As this ransomware threat is a variant of the Dharma Ransomware, it has two ransom notes' FILES ENCRYPTED.txt' and 'info.hta' technically. The text file states:
’ All your data is encrypted!
for return write to mail:
While the '.hta' file presents the user with a window containing a message reading:
All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL email@example.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:firstname.lastname@example.org
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
The attackers never mention what ransom fee would be demanded from the victim. It appears that they expect the user to contact them via email on 'email@example.com' for further instructions. They offer the victim to send them one file, which they will decrypt free of charge, as long as its sizei not bigger than 1MB.
We recommend you to stay away from cybercriminals. They may promise you the world but will deliver it rarely, and you will likely be tricked into giving them cash without receiving anything in return. A safer option is to make sure you obtain a legitimate anti-spyware application, which will wipe off the Q1G Ransomware from your PC and will make sure to keep it safe in the future.