PC security researchers reported the Qnbqw Ransomware, an encryption ransomware Trojan, on June 14, 2018. The main purpose of the Qnbqw Ransomware is to take the victims' files hostage and then demand payment of a ransom to return access to the affected files. The victims of the Qnbqw Ransomware attack are instructed to contact the criminals via the email address 'email@example.com' and will be asked to pay a ransom via cryptocurrency. The Qnbqw Ransomware, like many other similar threats, is distributed using corrupted spam email attachments primarily, which often present itself as files with embedded macro scripts contained in emails that impersonate legitimate messages from companies such as Facebook, Amazon, PayPal, etc.
Symptoms of the Qnbqw Ransomware Trojan's Presence
The Qnbqw Ransomware behaves in a way that's nearly identical to many other encryption ransomware Trojans that are active currently. The Qnbqw Ransomware targets the user-generated files in its attack, searching for files on the victim's computer that match a list of file formats in the Qnbqw Ransomware's configuration files. The following are examples of the files that threats like the Qnbqw Ransomware will target in their attacks:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Qnbqw Ransomware will target files on all local drives, as well as removable memory devices linked to the infected computer and directories shared on a network. The Qnbqw Ransomware will mark the files it encrypts with the file extension 'qnbqx,' which the Qnbqw Ransomware will append to the end of each affected file's name. These files will no longer be readable and will not be recognized by the Windows Explorer. They will show up on the victim's computer as generic blank icons and will not be opened with the victim's applications.
The Qnbqw Ransomware's Ransom Note
The Qnbqw Ransomware delivers a ransom note in the form of a text file named 'Notice.txt.' The Qnbqw Ransomware's ransom note has been linked to several texts. An example of a typical text message that may appear in a ransom note linked to a threat like the Qnbqw Ransomware reads:
'Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail[.]com to get your decryption key.
Your USERKEY: [1024 random characters]'
The ransom amount can vary quite a bit between different encryption ransomware Trojans. Ransomware campaigns similar in size and scope to the Qnbqw Ransomware have demanded an amount of 600-800 USD, which should be paid via Bitcoin. Malware researchers, however, strongly advise computer users not to pay this amount. The probability that the criminals will provide the decryption key after the victim has paid is almost nonexistent. It is equally likely that the victim will become exposed to additional attacks and tactics.
Dealing with the Qnbqw Ransomware
The most effectual way of dealing with threats like the Qnbqw Ransomware is to keep updated file backups, which should be stored on the cloud or portable memory devices. Having file backups, the victims of the Qnbqw Ransomware attack can recover from the attack without needing to contact the criminals responsible for it. It is also crucial to use a security program that is fully up-to-date.