Qewe Ransomware
The Djvu Ransomware family has released a significant number of variants in the past months, and security researchers just uncovered its latest version, which they named Qewe Ransomware. The Qewe Ransomware is a very deceptive threat. The Qewe Ransomware can execute its harmful actions stealthily, so that its victims may be aware of its presence only when the damage is done. The damage we are talking about is that the Qewe Ransomware will scan your computer looking for your crucial files, and when its selection is complete, it will use a highly effective encryption method to make them useless.
Table of Contents
What Does Qewe Ransomware Do?
The most significant feature of Qewe is that it locks files behind strong encryption algorithms to extort money from users. If you notice that you can't access your files and they have a new extension - .qewe – then your computer likely has Qewe ransomware. The altered file extension is proof that the data has been encrypted, and it is already too late to stop the virus from doing any more damage.
Most Qewe ransomware infections happen in stages. The infection starts with a fake popup about a Windows update or something similar. Given that it is encrypting the hard drive, a process that can slow down computers and take up resources, this fake update means users don't find any slowdown suspicious.
When the Qewe Ransomware finishes its encryption process, it will exhibit its ransom note in a file named 'readme.txt,' which has information about what happened with the files, the ransom amount they demand, how to contact its developers and more. The ransom note reads:
'ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-svMd2A4k89
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
helpmanager@mail.ch
Reserve e-mail address to contact us:
helpdatarestore@firemail.cc
Your personal ID:'
As we can see, they say that the victim can send one encrypted file to be decrypted for free to prove that their decryption tool works fine. The ransom amount they demand is $980 but early birds (the ones who contact the criminals until 72 hours after been infected) will get a 50% discount and need to pay 'only' $490. It also provides two email addresses that should be used to contact the perpetrators: helpmanager@mail.ch and helpdatarestore@firemail.cc.
Victims should never pay the ransomware in cases like this. Establishing contact with attackers and sending them money opens you up to even more problems – the least of which is that you won't get the decryption key you were promised.
No Third-Party Decryption
One problem with Qewe is that it used to be possible to decrypt it without paying the ransom. Versions of the virus that came out before August 2019 could be decrypted easily. Qewe didn't connect to an online server, so the same key could be used to unlock as many systems as needed.
Te updated version connects to the internet each time it encrypts a machine, meaning that users are assigned unique victim IDs. It may be possible to decrypt your data using a public tool if the ransom note ends in t1, but other than that, it is impossible.
Qewe is part of an active ransomware family. New versions appear all the time. All of these versions use the same ransom note and offer, but the code is changed just enough to make Qewe more challenging to spot and remove.
Data Recovery
You must take steps to remove Qewe ransomware from your computer as quickly as possible. Removing the virus prevents it from causing permanent damage to your machine. The encrypted data could be lost if you don't keep backups of it, but the sooner you eliminate the malware, the better.
Qewe does more than just lock data away – it also damages system files and changes system functions. There are plenty of software tools you can use to undo the damage caused by malware that isn't directly related to fire encryption.
Unfortunately, there are no easy fixes when it comes to data recovery. The victim ID is needed to restore files so there is no way to do it unless the malware database is leaked. Removing the virus won't help restore your data, but it does prevent them from being encrypted again. The only way to safely restore lost data is by using a backup. The more backups you have, the better prepared you are for threats like Qewe and other ransomware.
