The aim of this virus’ is to encrypt the victim’s personal files, thus making them inaccessible to the victim. Of course, the owner of these files (the victim) most likely wants to recover such data as information we store on our computers is obviously valuable to us – either related to work or personal matters. Therefore, the ransomware operators provide a ‘solution’: the victim has to pay the required sum of money to them to be able to open these files ever again. They even suggest a test decryption service, which allows restoring one small encrypted file for free. However, the price for a fully functional SSPQ file decryption key ranges from $490 to $980, depending on how fast the victim reaches out to the criminals and pays. Clearly, the attackers want to receive the ransom in cryptocurrency to remain anonymous. Other payment methods will be refused by the virus’ developers. Geek’s Advice team experts agree with FBI‘s suggestions regarding ransom payments: DO NOT PAY THE RANSOM. Some of the reasons why you shouldn’t are:
Cybercriminals might disappear the same minute you complete the money transaction, so do not expect that paying the ransom automatically guarantees data recovery. Besides, even if they will provide you with decryption means, they might not function properly.Keep in mind that paying the ransom might be illegal in your country of residence.We do not support ransom payments because criminals already rake up millions in ransoms yearly. The amount of money they collect directly contributes to further operations and invites other people to join in.Variants of STOP/DJVU ransomware, including SSPQ virus, install AZORULT Trojan on compromised computers. This malware variant is capable of stealing all sorts of data from your computer that can possibly be used to blackmail the victim later. Do not waste your money on such sneaky attackers!
Ransomware damage explained: what really happened during the attack?
SSPQ ransomware starts the attack by launching a winupdate.exe process, a deceptive process that displays a fake pop-up imitating Windows update process. This pop-up is meant to trick the victim into thinking that a sudden system slowdown is caused by ongoing Windows updates and not some kind of suspicious virus on a computer. In other words, the virus tries to lower victim’s suspicion. Next, the malware deletes Volume Shadow Copies from a computer and modifies Windows HOSTS file by adding a list of restricted domains to it. In general, all of these domains publish computer-related information as well as how-to guides, and it is believed that virus’ authors try to ban these domains so that the victim couldn’t reach any important information online. As a result, victims trying to access one of these sites directly or via search results will run into DNS_PROBE_FINISHED_NXDOMAIN error. Finally, the ransomware encrypts all personal files on a computer using a military-grade encryption algorithm. The malware affects not the whole file but the very first 150KB of it, therefore some video and image files can still be restored with minimal data loss. On the other hand, other files will be corrupted in a way that they become impossible to open or view. For more information about STOP/DJVU file decryption, please refer to this guide. Additional and severe damage caused by this ransomware is the installation of AZORULT Trojan. This threat is widely recognized as a powerful Remote Access Trojan (RAT) that can be used by attackers to remotely carry out tasks on the victim’s computer. To provide a better understanding of what an attacker can do with this virus, we provide a shortened list of its functionalities:
View or delete files on victim’s computer;Download malware from external resources;Steal Steam, Telegram login credentials;Steal cryptocurrency wallets;Grab browser cookies, saved passwords, browsing history and more.
In order to stop attackers from exploiting you further, we cannot stress this enough how important it is to remove SSPQ ransomware virus and other malware as soon as possible. To ensure a professional computer cleanse, we recommend using instructions provided below this article. We also recommend using a trustworthy virus removal software. Our team also suggests downloading RESTORO to repair virus damage on the system.
Ransomware Summary
Ransomware distribution techniques
Ransomware-type computer viruses are spread using quite traditional malware distribution techniques. When it comes to STOP/DJVU ransomware family, it seems to be spread using one main technique – illegal downloads. In fact, almost all victims affected by variants of this ransomware family appear to catch this PC infection after downloading software or game versions including cracks or keygens. Some of the victims also reported downloading the malicious payload via KMSPico variants. Most of these files can be brought to the computer via peer-to-peer file sharing agents (uTorrent, BitTorrent and others). These programs aren’t dangerous themselves, but they do not check files for malware at all. The thing that worsens the situation and makes this distribution tactic extremely successful is that most computer users want to get paid software versions for free so bad so that they choose to ignore their security software alerts about potentially malicious downloads. The main issue here is that many people believe that antivirus programs falsely mark all downloads including cracks as dangerous, therefore there is nothing to be afraid of. Unfortunately, these aren’t false-alarms, and even if you notice nothing suspicious after installing the cracked software, it doesn’t mean things are okay. For example, you might get infected with silent malware such as RAT or a cryptocurrency miner. It goes without saying that if you want to keep your computer safe, you should only download programs from trustworthy and legitimate online sources. Therefore, if you are in need of specific software or game, make sure you go to its official developer’s website. All attempts to install paid products for free can end in a severe computer infection. Besides, software licenses rarely cost more than hefty ransom amounts demanded by cybercriminals. A widely known ransomware distribution technique is closely tied to email spam campaigns. The attackers typically get access to leaked email databases and use these to send deceptive emails for thousands of potential victims. In most cases, the attackers pretend to be someone from well-known companies sending an important document for the victim, such as invoice or missing/pending payment details. Another important thing to say is that the attackers are capable of injecting malicious scripts in various file formats nowadays. The message in such deceptive emails typically urges to open the attached invoice/missing payment/document and reply back shortly. To strengthen victim’s trust in such email, the attackers leverage email spoofing techniques. You can learn more about these techniques here. We strongly recommend you to be cautious when it comes to email attachments and only interact with emails that you expected to receive. If you click on links or attachments without thinking, your computer might get severely infected in no time. Finally, we must mention that other ransomware strains have been observed to distribute fake STOP/DJVU decryption tools hiding second ransomware payload in them. In other words, if you come across a deceptive decryption tool, opening it can execute second ransomware which will double-encrypt your files. One of such viruses that’s known for usage of this distribution technique is ZORAB.
Remove SSPQ ransomware virus and decrypt or repair your files
We kindly suggest you remove SSPQ ransomware virus from your computer using free instructions provided down below. To ensure a smooth virus’ removal procedure, stay careful and do not miss a step. Finally, we strongly recommend you to repair virus damage on your computer using software like RESTORO. Once SSPQ virus removal, we recommend you to take the following actions:
Report Internet crime case to an authority responsible for handling such incidents in your country. We have provided some references below this guide.Search for data backups if you have them. Make sure you use them only after completely deleting malware from your computer, or the backup might get encrypted as well.Use these instructions to decrypt or repair files affected by STOP/DJVU versions.We suggest changing all of your passwords (especially for accounts saved in browser) due to the Azorult’s activity.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove SSPQ ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove SSPQ ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt SSPQ files
Fix and open large SSPQ files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. SSPQ ransomware virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt SSPQ files, follow the given tutorial.
Meanings of decryptor’s messages
The SSPQ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your SSPQ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of SSPQ ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.