NQSQ ransomware virus was developed with sole aim to illegally take control of victim’s files, making them impossible to open, view, or edit in any way. This is done with a help of cryptography algorithms that are typically used to secure end-to-end information transmission or military-grade secrets. The ransomware works by encrypting the very first 150 KB of a file and then moving to another one, which keeps the entire system attack short and effective. The crooks behind this ransomware offer to sell the file decryption key and software for the victim for a specified price. This is nothing else but pure extortion as victim’s files are taken hostage at this point. If you have fallen victim to ransomware attack, you can try a couple of methods to recover or repair part of encrypted data. Ideally, you should use a data backup that you created before the ransomware attack; unfortunately, not many people have a habit of creating data backups regularly. Therefore, we have provided a lengthy guide on using available decryption tools as well as Media_Repair tool by DiskTuna which can help you to restore some audio and video files with as little data loss as possible. You can find a shortened guide below this article or see an in-depth tutorial here. The _readme.txt note left by NQSQ ransomware threatens the victim by stating that all files such as pictures, videos, documents, archives and other data formats have been encrypted with the strongest cryptography algorithm. The note says that victim can still recover all data and access it like usual, however, the attackers expect the victim to pay for data decryption tool and key. The ransomware operators also suggest sending one encrypted file to them as an attachment to provided emails, offering a “test decryption” service to prove that their words can be trusted and that they can actually restore locked files. The note also says that the test decryption file should not contain any valuable information or they won’t decrypt it. The reason behind this is that the attackers are afraid the victim won’t be considering making the transaction after valuable information is recovered. The ransom note provides conditions regarding the decryption service price as well. The attackers offer the victim a 50% discount if one writes to them within 72 hours from the initial infection timestamp. This means that the decryption would cost $490. However, if the victim delays, the attackers will ask to pay full price, which is $980. Although it isn’t discussed in the _readme.txt file, once contacted, the criminals will ask to make a transaction to their virtual wallet address. Of course, they will only accept cryptocurrency based payments as this helps to keep them untraceable. Geek’s Advice team members, as well as other cybersecurity experts and FBI do not recommend paying a ransom to cybercriminals. Here are some of the reasons why it is wrongful to pay extortionists of such kind:

No matter how much money you transfer to cybercriminals, there are no guarantees that you will get your files back. Many cybercriminals disappear into the thin air after receiving the money.By paying the ransom, you help to keep the ransomware business active. If people stopped paying the ransoms, there would be no motivation for the criminals to continue their operations.Paying a ransom motivates the attackers to initiate even more cyberattacks and infect more computers globally. That said, millions of dollars collected from ransomware victims each year also lures other people to join Ransomware-As-A-Service affiliate scheme.Beware that STOP/DJVU ransomware variants such as NQSQ virus have a tendency to infect target machines with AZORULT Trojan, which is an infamous Remote Access Trojan used to collect sensitive information from the victim’s computer remotely. Using collected passwords and other private details, cybercriminals can continue to blackmail you and extort you further.

REPAIR VIRUS DAMAGE

Modus operandi of this ransomware strain

NQSQ ransomware virus usually arrives in a form of a illegal pirated copy of software, which can be downloaded via various peer-to-peer file sharing agents. Once executed, it runs a couple of build executables that prepare for the actual attack by disabling security software (if possible), checking victim’s geolocation, collecting software and hardware info about the computer and a set of other details. It must be noted that this virus has a country exception list (it won’t launch the final payload if victim’s country matches one from the exception list). Once the initial preparations are complete, the virus tries to connect to its Command&Control server to get a unique online encryption key for the machine. It usually saves it to a file called bowsakkdestx.txt along with victim’s ID. The malware also saves victim’s ID or several of them to a file named PersonalID.txt located in C:\SystemID. However, in situation where the virus fails to get the online key for encryption, it employs a hardcoded offline encryption key. You can identify which key was used in your key by looking at personal ID (available in PersonalID.txt file or at the end of the _readme.txt file). If this string ends in t1, it means that your files were encrypted using offline key. In such case, we strongly recommend waiting until a decryption key gets uploaded to the official decryption tool as explained at the end of this article or here. As mentioned earlier, the virus then starts encrypting all of victim’s files, using the chosen key. During the attack, the ransomware modifies the beginning of each file and also marks affected files by appending .nqsq extension to each of them. Additionally, the virus composes ransom notes called _readme.txt (inserts victim’s ID into each of them) and saves them in every visited file directory. It must be said that the malware tends to bypass system folders to keep the operating system intact and running smoothly. To deceive the victim and justify the sudden system slowdown, the ransomware tends to launch a fake Windows update prompt on the screen. Other modifications done to the system include removal of Volume Shadow Copies and modification of Windows HOSTS file. The Shadow Copies are deleted using this Command Line task: vssadmin.exe Delete Shadows /All /Quiet This prevents the victim from using System Restore points to recover part of the data for free. Speaking of modifications to Windows HOSTS file, the ransomware adds a list of domains to block in it. These websites are known to publish cybersecurity-related content, information on removing computer viruses, or simply user forums where similar topics are discussed. The virus maps these domains to victim’s localhost IP, therefore whenever the victim attempts to visit one of them, DNS_PROBE_FINISHED_NXDOMAIN error will appear in the web browser. Finally, this ransomware might also drop AZORULT malware on the infected Windows machine. It is an infamous Remote Access Trojan which can be used to perform various illegal information-collecting activities on victim’s computer, such as:

Downloading various computer viruses and executing them on the system;Stealing login credentials for various programs, such as Telegram, Steam and other programs;Looking at lists of folder files or deleting them from the victim’s computer;Stealing cryptocurrency wallets and their contents;Stealing browser-saved passwords, browser cookies, browsing history and more.

To protect yourself and your computer from further damage, we strongly recommend that you remove NQSQ ransomware virus as soon as possible. One of the best ways to do it is to use a robust security software while in Safe Mode with Networking. If you don’t have one already, we strongly recommend using INTEGO Antivirus which has a VB100 certification. Afterwards, you might want to download RESTORO to scan your system and repair virus damage to Windows OS files caused by malware.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution explained: how to avoid getting infected

Ransomware-type threats are extremely prevalent nowadays, so it is essential to know their distribution techniques to avoid getting infected. While more sophisticated attacks rely on exploit kits, the majority of threats targeting home computer users are distributed via malicious email attachments or untrustworthy online downloads. NQSQ ransomware arises from STOP/DJVU malware family and these viruses are known to be distributed via malicious online downloads mainly. To be precise, victims report getting infected after attempts to install pirated software copies downloaded via torrent clients. It seems that cybercriminals behind this ransomware tend to inject malicious scripts into software cracks and key generators allegedly designed to activate these premium programs:

Adobe Photoshop;Corel Draw;Tenorshare 4ukey;League of Legends;Cubase;Adobe Illustrator;Windows activation tools such as KMSPico.

Computer users who download illegal software copies face extremely high risk of falling prey to ransomware attacks. Cybercriminals know the demand for free premium software versions, therefore they inject malicious scripts into such files and make them available on various torrent libraries online. Such torrents can be downloaded using peer-to-peer file sharing clients such as uTorrent, eMule and others. These programs do not check for malware in files, however, what is even worse is that computer users often ignore their antivirus software warnings and proceed to open the file because of popular misconception that security software marks all “cracks” as malicious. Sadly, pirated software copies are closely linked with malware infections. Even if you do not notice an immediate sign of computer infection, please remember that there are types of malware that is designed to operate silently (such as cryptocurrency miners, Trojans and others) or that the ransomware inside is set to trigger launch after several days (the attackers can set a time trigger to infectious programs so they would launch after a couple of days or weeks). That said, we strongly recommend you only to get desired software copies from official sources only. Remember that a legitimate software license hardly ever costs more than hefty ransom amounts demanded by cybercriminals. Besides, you should support software developers who work hard to provide you with useful software. Trying to bypass paying them can result in much higher expenses. Another popular way to distribute ransomware is to attach a specifically crafted document to spam emails and send them to numerous recipients at the same time. Cybercriminals tend to use email address listings made available in dark web forums. Most of the time, the attackers pretend to be writing in the name of a reputable company, colleague, or someone you know. The message is usually short and demands to open attached contents immediately. The malicious attachments may be named somewhat like “invoice,” “payment information/details,” “parcel tracking details” or “order information.” To create an even stronger effect, the attackers tend to spoof their email address. Since it gets hard to identify phishing emails nowadays, we strongly recommend you to avoid opening emails that you think you weren’t supposed to receive. Victims of STOP/DJVU ransomware variants such as NQSQ virus should be extremely careful and avoid downloading suspicious file decryption tools as these can carry another ransomware strain payload. For example, another cyber-extortion virus known under a name of ZORAB was noticed hiding in fake STOP/DJVU decryption tools. If you fall into the trap and open such fake decryption tool, your files will get double-encrypted.

Remove NQSQ Ransomware Virus and Decrypt Your Files

If your computer got compromised by the described ransomware variant and now your files are encrypted, the first thing we recommend doing is eliminating malware from your PC. The easiest way to remove NQSQ ransomware virus is booting in Safe Mode with Networking and running a reputable security software such as INTEGO Antivirus to identify and delete existing threats automatically. The software we recommend is well-reviewed and has VB100 certification, which indicates that the antivirus has top-notch malware detection rate. Afterwards, you might want to download RESTORO to repair damage on Windows OS files caused by the virus. If you have completed NQSQ ransomware virus removal, please read the following recommendations:

Get in touch with your local law enforcement authorities and report an Internet crime case. You can find some references below this guide.Use data backup to restore the majority of your files.Follow the given steps to decrypt or repair files affected by STOP/DJVU versions.We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove NQSQ Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove NQSQ Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt NQSQ files

Fix and open large NQSQ files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. NQSQ Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt NQSQ files, follow the given tutorial.

Meanings of decryptor’s messages

The NQSQ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your NQSQ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of NQSQ Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.