The ransom note provided by QQQR ransomware explains how the pricing of the decryption tool works. According to the criminals, the victim has three days to contact the criminals to get 50% discount. This means the decryption software will cost $490. If the victim delays, the decryption price will be set to $980. In one case or another, the attackers will only accept the payment in cryptocurrency, most likely Bitcoin, to avoid getting tracked down. The ransom note contains two email addresses of the ransomware operators – support@sysmail.ch and helpsupportmanager@airmail.cc which can be used to contact them. The note also suggests sending one small encrypted file for test decryption. Cybersecurity experts advise following FBI guidelines regarding ransom payments. In short, you should NOT PAY THE RANSOM. First of all, it doesn’t guarantee data recovery. Second, transferring your money to cybercriminals only fuels the ransomware cycle and funds further malware attack operations. Finally, be aware that the latest STOP/DJVU variants tend to drop information-stealing Trojans like VIDAR or AZORULT and they can be used to collect sensitive data from your computer, only to be used for blackmailing you later. If your computer was compromised by this severe malware variant, we strongly advise you to remove QQQR ransomware virus as soon as you can. This can be done safely after booting your PC in Safe Mode with Networking. We recommend using a robust antivirus software to identify and eliminate all malicious components from your computer automatically. If you do not have such security software yet, we suggest using INTEGO Antivirus, which also provides real-time protection from dangerous downloads and deceptive websites. Another tool that can come in handy in this situation can be downloaded here – RESTORO. It is typically used to repair virus-altered Windows OS files.
Ransomware Summary
REPAIR VIRUS DAMAGE
Ransomware distribution explained
Ransomware-type computer viruses usually hide in deceptive online downloads (mostly torrents and pirated software versions), email attachments and fake software update tools advertised via rogue advertising networks. When it comes to STOP/DJVU variants like QQQR virus, the primary distribution method is based on illegal software downloads. We do not recommend searching for illegal software copies on rogue websites online offering you 100% working, free and full versions of paid software. Paying for a legitimate software license is the only way to get real and safe programs for your computer. Cybercriminals prey for victims by uploading fake software versions on a variety of websites (there is a whole set of them luring potential victims into downloading archived malware named as installers). Besides, none of them contain the actual software computer users are looking for. By opening and running such downloads, your computer will get immediately contaminated with complex and severe computer viruses such as ransomware that will leave all of your data encrypted. Victims of STOP/DJVU ransomware report getting infected after downloading fake and illegal versions of such popular software:
Opera browser;Fifa 20;Tenorshare 4ukey;League of Legends;Adobe Photoshop;Corel Draw;Cubase;Adobe Illustrator;AutoCad;Internet Download Manager;VMware Workstation;KMSPico (illegal Windows activation tool) and others.
Another technique used by ransomware distributors is based on malicious email spam. The attackers create convincing email messages that usually urge the target to open files attached to the email. These files may be named as invoices, order summaries, parcel tracking details and similar. They may come in PDF, DOCX, XLS and other data formats, but do not be deceived – these file formats can contain malicious script used to download and run ransomware on your computer. For this reason, you should be very careful and inspect every email you receive with great caution. Avoid opening email attachments or clicking inserted links out of curiosity and ask yourself whether you were awaiting for such email to arrive. Moreover, look out for red flags such as unfamiliar greeting line, typo errors or spoofed email address. Finally, never agree to install software updates from aggressive pop-up ads that launch on your screen during your web browsing sessions. Sometimes, cybercriminals use these installers as a disguise to deliver various malware to your computer. If you think that you need to check for updates, go to the official website of a specific program and check for updates there. Moreover, you can update most of the programs via their settings. One more ransomware distribution technique that you should be wary of is fake ransomware decryption tools. In case of a ransomware attack, victims often go to web search and try to look for decryption tools on a variety of websites, hoping to find a solution that could restore all of encrypted files back. Sadly, this can end up in even worse damage for your files, because operators of other ransomware strain might be awaiting for you with a fake decryption tool uploaded online. One of such ransomware strains that’s known for using this technique is called ZORAB; it used to distribute the malware in a form of a fake STOP/DJVU decryptor. If you want to learn about possible solutions to decrypting or repairing files affected by STOP/DJVU, read this guide.
Modus operandi of this file-encrypting virus
QQQR file ransomware arrives in a form of a fake pirated software installer and typically launches as an executable named with 4 random characters. For example, it may be named 1B7G.exe, 6GN7.exe or similarly. This process is responsible for various functions including encryption of victim’s data. It usually downloads helper executables called build.exe and build2.exe. In some cases, it might also drop winupdate.exe process which displays a fake Windows update screen. The reason why this fake screen is displayed for the victim is to trick the computer user into thinking that the sudden system slowdown occurs due to ongoing operating system updates. The ransomware requests a response from https[:]//api.2ip.ua/geo.json and saves the result into geo.json file. This file contains details about the infected computer’s geolocation, including country code, name, city, zip code, longitude, latitude and other details. The virus then checks if the computer’s country matches one from its exception list. An interesting detail here is that the malware ceases its operations in case the compromised computer is located in one of the following countries: Russia, Ukriane, Belarus, Tajikistan, Uzbekistan, Syria, Kazachstan, Kyrgyzstan, or Armenia. The virus also collects details about the infected computer’s hardware, installed software and active processes list. It also finds out the infection timestamp, computer user’s name, keyboard languages, display resolution, operating system version and other information and saves the collected data into a file called information.txt. This file will be sent to the criminals Command&Control server along with a screenshot of victim’s desktop. The virus then attempts to request an online encryption key from its server. If the network connection fails, the ransomware falls back into offline encryption mode and uses a hardcoded key for data corruption instead. Each victim will get a unique personalID assigned to them for victim identification. The malware saves the encryption key and ID into file named bowsakkdestx.txt and the ID separately to PersonalID.txt as shown below. At this point, you should know that PersonalID.txt file (which can be found in C:\SystemID\ folder) can help you identify whether online or offline encryption was used on your files. If it was the offline version, your ID string should end in t1 characters. It gives you hope to decrypt files for free in the future, in case you do not have a data backup now. See more information on this in this article. The ransomware encrypts all files using Salsa20 + RSA-2048-bit key encryption. After encrypting a file, this ransomware also appends .qqqr extension to its original file name. You can see a screenshot of affected data folder in the screenshot below. In every scanned folder, the ransomware drops _readme.txt note. You can see contents of it below. The virus also gets rid of Volume Shadow Copies from the system using the following command: vssadmin.exe Delete Shadows /All /Quiet In some cases, this ransomware modifies Windows HOSTS file by adding a list of domains to restrict access to. It is believed that cybercriminals are trying to prevent the victim from finding relevant information regarding ransomware attacks online. If the victim attempts to visit one of the blocked websites online, errors equivalent to DNS_PROBE_FINISHED_NXDOMAIN code will appear in web browser.
Remove QQQR Ransomware Virus and Decrypt Your Files
Computer users affected with this kind of malware should take action and remove QQQR ransomware virus without a delay. We also recommend backing up encrypted files and reporting the cybercrime incident to local law enforcement agency. Finally, it is recommended to change all the passwords used on the compromised machine since the Trojan dropped on it can steal them and put them to a bad use. To initiate QQQR virus removal, we recommend booting your computer in Safe Mode with Networking as explained in the guide below. Manual ransomware removal isn’t something that an average computer user should do; leave it to a professional antivirus software of your choice. Our team recommends using INTEGO Antivirus to identify and remove malware as well as protect your computer from future attacks. You may also want to download RESTORO to repair Windows OS files damaged by computer malware. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove QQQR Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove QQQR Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt QQQR files
Fix and open large QQQR files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. QQQR Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt QQQR files, follow the given tutorial.
Meanings of decryptor’s messages
The QQQR decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your QQQR extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of QQQR Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.
