Qwerty Ransomware Utilizes GnuPG to Encrypt a Victims Files


A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim’s files.  Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file’s name.

It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen.

While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.  First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further.


How the Qwerty Ransomware encrypts a computer

The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG gpg.exe executable, the gnuwin32 shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program.

Qwerty Ransomware Package

The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially.

Batch File
Batch File

When the batch file is executed, the keys will be imported as shown below.

Importing Keys
Importing Keys

After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt.

JavaScript File
JavaScript File

When find.exe is executed it will launch the following commands on the victim’s computer.

taskkill /F /IM sql /T
taskkill /F /IM chrome.exe /T
taskkill /F /IM ie.exe /T
taskkill /F /IM firefox.exe /T
taskkill /F /IM opera.exe /T
taskkill /F /IM safari.exe /T
taskkill /F /IM taskmgr.exe /T
taskkill /F /IM 1c /T
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe bcdedit /set {default} recoveryenabled no
wbadmin.exe wbadmin delete catalog -quiet
del /Q /F /S %s$recycle.bin

It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file:

gpg.exe --recipient qwerty  -o "%s%s.%d.qwerty" --encrypt "%s%s"

This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the .qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty.

Encrypted Qwerty Files
Encrypted Qwerty Files

When encrypting files, it will encrypt any file that does not contain the following strings:

Program Files

After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it.

shred -f -u -n 1 "%s%s"

It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file.

In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt which contains instructions to contact cryz1@protonmail.com to receive payment instructions.

To read the original article:


Laisser un commentaire

Next Post

The Week in Ransomware - March 9th 2018 - GandCrab and Qwerty

It has been a pretty slow ransomware week as most of the malware developers have started pushing cryptominers. We did see the continued distribution of the GnuPG based Qwerty Ransomware and a new variant of the GandCrab ransomware that makes it secure again.   March 3rd 2018 New GlobeImposter discovered GrujaRS found a […]