Qewe Ransomware
The Qewe Ransomware is a file-locking Trojan that's part of the STOP Ransomware's Ransomware-as-a-Service. Users with compromised PCs may experience symptoms ranging from blocked media (documents, databases, etc.) to issues with browsing websites or fake pop-ups. Anti-malware products may remove the Qewe Ransomware infections but can't recover files, which necessitates the existence of a suitably-secured backup.
The Trojan Service that's Intent on Never Stopping
The STOP Ransomware is among the most ironic cases of theme-naming for a family of file-locker Trojans easily. Like the Scarab Ransomware, the Globe Ransomware, and other Ransomware-as-a-Services, it continually produces offshoots in campaigns under the administration of third-party threat actors. Although the Qewe Ransomware is a new example in the spring of 2020, particularly, it has most of the attributes of ancestors like the Domn Ransomware, the Fedasot Ransomware, the Msop Ransomware and the Todar Ransomware.
Samples of the Qewe Ransomware, while they're available for examination in public threat databases, show few signs of how they're propagating out in the wild. If they're using the same strategies as past campaigns from the STOP Ransomware rental-based family, they may compromise servers after brute-forcing admin accounts, or use the more random option of disguised downloads like illicit torrents. In either case, the Qewe Ransomware targets Windows environments and is a download of negligible, sub-one-megabyte file size.
The Qewe Ransomware uses a secure encryption routine for locking file formats that might be worth ransoming, such as documents, pictures, spreadsheets, and other widely-used data types. It also appends a unique extension, from which it takes its name, although this feature is strictly for cosmetic/identifiability purposes. While doing so, it may distract victims with fake Windows update UIs, which malware experts often find in versions of this family.
Dealing with the Side Effects of a Trojan Family's Cash Flow
Although the Qewe Ransomware offers a data-restoration service, paying into it has non-negligible risks. Users may lose their money and get nothing back or receive a decryption service that doesn't restore the files correctly. There are also cases, albeit rare, of threat actors using their 'free demonstration' services for launching additional attacks, such as by disguising an executable as 'unlocked' file. As a rule, malware experts recommend interacting with threat actors very cautiously and eschewing any extortion-based transactions altogether.
The Qewe Ransomware also offers further security risks that aren't usual for most file-locker Trojans from other families. It may coincide with attacks by AZORult, a spyware program that collects passwords. The Trojan also has a feature for blocking websites related to security, which it does by changing the Hosts file's entries merely. Thankfully, users can reverse these changes quickly after dealing with the Trojan.
Most anti-malware products will flag and delete the Qewe Ransomware very readily thanks to the family's minimal effort at obfuscation. Users also should change passwords as soon as possible after disinfection for limiting further attacks from the same threat actor.
Users endangering themselves with poorly-selected passwords or illicit download trafficking are at high risk of becoming the Qewe Ransomware's next targets. With encryption being an aggressive tool that's available to threat actors worldwide, there's little point in assuming that your PC, or its files, are immune to the consequences of careless security habits.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.