A New Self-Replicating Malware ‘qkG Ransomware’ Targets Only Word Documents

Cyber security researchers from Italy have discovered a new security flaw that mainly affects almost all versions of MS Office. This vulnerability can let the cyber extortionists to create and distribute macro-based self-replicating malware named ‘qkG Ransomware’ and hide it behind unsuspecting Microsoft Word documents. According to the malware analysts, a self-replicating malware is not a new type of virus and Microsoft has already introduced security mechanism that can limit the virus’ functionality. However, qkG Ransomware have the ability to evade the Microsoft’s security controls quite easily.

Based on the latest research report published by a reputed security firm on November 22nd reveals that a new strain of nasty malware has been developed by the criminal hackers dubbed as ‘qkG Ransomware’ which exploits the feature of MS Office. Instead of an actively used virus, this ransomware looked more like an ‘experimental project’ or a ‘proof of concept’. The malware uses a deceptive technique which allows the execution of harmful macros once the Microsoft Word document is closed. qkG Ransomware is a single file-encrypting virus which is written in the Visual Basic for Applications macros.

qkG Ransomware

Unlike regular ransomware viruses which uses macros only to download the malware executable, qkG Ransomware employ harmful Auto Close VBA macros also used by the variant of Locky Ransomware known as ‘Lukitus Ransomware’ which allows executing macros once the document is closed. The first sample of this ransomware was uploaded from the IP address located in Vietnam which shows that the virus includes a Bitcoin wallet address in a displayed ransom notification and asked the amount of 300 USD. This ransomware mainly spreads with the help of spam email attachments which includes Word documents with harmful VBA code.

Furthermore, qkG Ransomware uses XOR cipher in order to encode the Word files. Depth-analysis revealed that there is no ransom payment had been to the provided Bitcoin wallet address which shows that the malware hasn’t targeted anyone and the ransomware still uses the hard-coded password: ‘I’m [email protected]! by [email protected]’. Typically, the ransomware threats targets as much file types as possible, but the qkG Ransomware only encrypts MS Word documents. It is especially programmed by the hackers to encode only opened Word files. Besides, it uses autostart macro command i.e. ‘Document_Open()’ to the targeted files and makes several copy of itself.

In addition, the file encryption process starts when the infected users closes the document. Therefore, to avoid such vicious attack refrain opening the files attached to spam email arrived from unknown sources and remove qkG Ransomware as soon as possible once it infects your PC. Also, try alternative method for file restoration instead of paying asked ransom money. For complete removal of this ransomware, you can employ a credible anti-malware tool and try to use the best file recovery software in order to restore the Microsoft Word files encoded by qkG Ransomware. Meanwhile, you must perform the file recovery procedure after the successful elimination of this ransomware from your infected Windows machine.

Leave a Comment

Your email address will not be published. Required fields are marked *