ランサムウェア

縫った (.縫った) ランサムウェアウイルスの除去 & ファイルの復号化

QEPIウイルスとは何ですか?

QEPI は STOP/Djvu ランサムウェアの一種, コンピュータ上のファイルを暗号化します, making them inaccessible. It targets a variety of file types, appending a “.縫った” extension to them, which renders the files unusable without a decryption key.

After infecting a system, Qepi demands a ransom in Bitcoin for decrypting files. Victims find a_readme.txtguide on desktops and within folders that instructs them on how to make the payment, though payment does not guarantee recovery.

The virus employs the Salsa20 encryption algorithm, which complicates decryption efforts without the attacker’s cooperation. しかし, if Qepi cannot connect to its server before starting the encryption, it uses a standard offline key, offering a potential avenue for decryption.

Below, an image shows the appearance of encrypted files, marked by the “.縫った” extension:

Qepi ransomware: 感染したPC

Qepi ransomware: 感染したPC

名前Qepi Virus
Family 1STOP/Djvu Ransomware
Extension.縫った
Ransomware note_readme.txt
RansomFrom $499 to $999 (in Bitcoins)
Contactsupport@freshingmail.top, datarestorehelpyou@airmail.cc
Symptoms
  • Encrypts most of your files (photos, videos, documents) and adds a particular “.縫った” extension;
  • Deletes Volume Shadow copies to make attempts to restore data impossible for the victim;
  • Adds a list of domains to the HOSTS file to block access to certain security-related sites;
  • Installs a password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer;
  • Manages to install a SmokeLoader backdoor;
RecoveryStart recovery with a comprehensive antivirus scan. Although not all files may be recoverable, our guide outlines several potential methods to regain access to encrypted files.

Qepi Virus Overview

Qepi ransomware executes a set of procedures on a victim’s computer upon arrival. It launches winupdate.exe as one of the initial processes, which displays a fraudulent Windows update prompt during the attack to convince the victim their PC is slowing down due to a Windows update.

その間, the ransomware runs another process (named with 4 random chars), which begins scanning the computer for target files and encrypting them. It then removes Volume Shadow Copies from the system using the following CMD command:

vssadmin.exe Delete Shadows /All /Quiet

Once removed, it becomes impossible to retrieve the computer’s previous state using System Restore Points. The ransomware operators eliminate any built-in Windows approaches that could help the victim restore files for free. さらに, they modify the Windows HOSTS file by adding a list of domains to it, redirecting them to the localhost IP, which results in a DNS_PROBE_FINISHED_NXDOMAIN error when the victim tries to open one of the blocked websites.

We’ve observed that the ransomware tries to restrict websites from publishing various how-to guides for computer users. Clearly, by limiting specific domains, the attackers attempt to prevent victims from accessing relevant and helpful online information related to ransomware attacks. The virus also stores two .txt files on the victim’s computer providing attack-related information – the public key of this victim and a personal ID, named bowsakkdestx.txt and PersonalID.txt.

After all these modifications, the malware doesn’t stop. Variants of STOP/DJVU often deploy the Vidar password-stealing Trojan on compromised systems, a threat with a vast list of capabilities, including:

  • Infiltrating and executing malware on the victim’s computer to gain unauthorized access.
  • Obtaining unauthorized access to login credentials of Steam, Telegram, and Skype.
  • Manipulating and viewing files on the victim’s computer without their consent.
  • Stealing cryptocurrency wallets from the victim’s system.
  • Granting the hackers remote control over the victim’s computer for various malicious purposes.
  • Extracting sensitive information such as browser cookies, saved passwords, and browsing history.

The cryptography algorithm in STOP/Djvu ransomware is Salse20. So, once it encrypts your data with an online decryption key, the chances of getting your files back become quite low. This key is unique for each victim, and finding a suitable one would take an impractical amount of time.

Retrieving the online key in another way is also nearly impossible. The hackers spread the Qepi infection on the server where it is stored. To receive the decrypting code, the payment should be $999. For payment details, the victims must contact the hackers by email (support@fishmail.top).

Ransom Note: _readme.txt

Ransom Note: _readme.txt

How To Remove?

Remove Qepi Virus with Gridinsoft Anti-Malware

それ以来、当社のシステムでもこのソフトウェアを使用しています。, ウイルスの検出には常に成功しています. It has blocked the most common Ransomware as 私たちのテストから示された ソフトウェアを使って, and we assure you that it can remove Qepi Virus as well as other malware hiding on your computer.

Gridinsoft アンチマルウェア - メインスクリーン

Gridinsoft を使用して悪意のある脅威を削除するには, 以下の手順に従ってください:

1. まずは Gridinsoft Anti-Malware をダウンロードしてください, 下の青いボタンから、または公式ウェブサイトから直接アクセスできます グリディンソフト.com.

2.Gridinsoft セットアップ ファイルが完成したら (setup-gridinsoft-fix.exe) ダウンロードされています, ファイルをクリックして実行します. Follow the installation setup wizard's instructions diligently.

Gridinsoft セットアップ ウィザード

3. にアクセスしてください "スキャンタブ" on the application's start screen and launch a comprehensive "フルスキャン" コンピュータ全体を調べるには. この包括的なスキャンはメモリを網羅します。, スタートアップアイテム, レジストリ, サービス, 運転手, そしてすべてのファイル, 考えられるすべての場所に隠されたマルウェアを確実に検出する.

Scan for Qepi Virus Ransomware

我慢して, as the scan duration depends on the number of files and your computer's hardware capabilities. この時間をリラックスしたり、他のタスクに集中したりするために使用してください.

4. 完了時に, マルウェア対策は、PC 上で検出されたすべての悪意のあるアイテムと脅威を含む詳細なレポートを表示します。.

The Qepi Virus was Found

5. レポートから特定された項目をすべて選択し、自信を持って "今すぐ掃除してください" ボタン. この操作により、悪意のあるファイルがコンピュータから安全に削除されます, さらなる有害な行為を防ぐために、それらをマルウェア対策プログラムの安全な隔離ゾーンに転送します。.

The Qepi Virus has been removed

6. プロンプトが表示された場合, コンピュータを再起動して、システム全体のスキャン手順を完了します。. このステップは、残っている脅威を確実に完全に除去するために重要です。. 再起動後, Gridinsoft Anti-Malware が開き、次のことを確認するメッセージが表示されます。 スキャンの完了.

Gridinsoft は 6 日間の無料トライアルを提供していることを忘れないでください. つまり、無料の試用期間を利用してソフトウェアの利点を最大限に体験し、システムでの今後のマルウェア感染を防ぐことができます。. Embrace this opportunity to fortify your computer's security without any financial commitment.

Video Guide

How To Decrypt .qepi Files?

First, try deleting the “.縫った” extension from a few big files and then opening them. This malware struggles with the encryption of large files. The virus either failed to lock the file upon access or encountered a bug and omitted to add the file marker. If your files exceed 2GB in size, the latter scenario is more probable.

Criminals released the newest extensions around the end of August 2019 after making several changes.

The changes by the criminals rendered STOPDecrypter unsupported, leading to its replacement with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft.

  1. Download and Run the Decryption Tool: Download decryption tool. Ensure you run the decryption utility as an administrator and agree to the license terms that appear by clicking theYes” ボタン. Upon accepting the license terms.
  2. Select Folders for Decryption: The decryptor, by default, automatically selects directories on connected and network drives for decryption. Use theAddbutton to select additional locations. Depending on the malware family, decryptors offer various options, which you can toggle on or off in the Options tab. Below, you will find a detailed list of the currently active options.
  3. Initiate Decryption by Clicking on theDecryptButton. After adding all desired locations to the list, click theDecryptbutton to start the decryption process. The decryptor will inform you upon completing the decryption process. If needed for documentation, you can save the report by clicking theSave log” ボタン. It’s also possible to copy the report to your clipboard for pasting into emails or messages.

How to Restore .qepi Files?

場合によっては, ransomware fails to encrypt your files

The Qepi ransomware encryption process involves encrypting each file byte-by-byte, creating a duplicate, and then deleting (not overwriting) the original file. This deletion means the physical disk no longer lists the file in its system, although the original file remains on the drive. The sector that held the file might still contain it, but since the system does not list it, new data can overwrite it. しかし, special software can recover your files.

Solution 1Solution 2
This virus managed to bypass two antivirus programs and two malware fighters and infect my PC.

Realizing it was an online algorithm, I knew recovering my encrypted files was impossible. My backup drive, connected during the infection, seemed infected as well. Every folder on my backup drive appeared encrypted. Despite this, I managed to recover nearly 80% of my 2TB storage.

Examining the folders, I found ransom notes in each. Opening some revealed that only files not in subfolders were encrypted. Delving into subfolders in other folders, I discovered unencrypted files. Unlike my C and D drives where every folder, including subfolders, was encrypted, my backup drive’s subfolders saved 80% of my data.

I consider finding this loophole on my backup drive fortunate. さらに, I recovered another 10% of my data from a hard drive on a different PC. Thus, my advice for using a backup drive is to create subfolders. It was partly luck, but also misfortune that the virus struck during file transfers from my backup.

I hope this experience can assist others in similar predicaments.

Jamie Newland
Here are some tips for Qepi file recovery and repair (applicable to all STOP/DJVU variants):

  • Check deeper nested folders since some Stop/Djvu variants fail to encrypt them, leaving them unencrypted.
  • Since this ransomware saves encrypted data to a new file and deletes the original, there’s a chance to recover parts of the deleted file using file recovery software. Although restoring the folder structure is unlikely, a tool like PhotoRec might work well.
  • The ransomware partially encrypts files (about the first 150 KB), making it possible to recover the non-encrypted portion depending on the file size and type.
  • Joep
    ブレンダン・スミス
    ブレンダン・スミス
    ITセキュリティ専門家
    Try to use the GridinSoft Anti-Malware
    Do not forget to share your experience in solving the problem. Please leave a comment here! This can help other victims to understand they are not alone. And together we will find ways to deal with this issue.
    マルウェア対策
    Gridinsoft Anti-Malware の 6 日間トライアルが利用可能.
    EULA | プライバシーポリシー | 10% オフクーポン

    Recover Qepi Files with PhotoRec

    PhotoRec, designed for file recovery from damaged disks or accidental deletion, now supports restoring 400 file types, making it useful after a Qepi attack.

    First, download PhotoRec. It’s free, but the developer offers no guarantee for file restoration. PhotoRec comes packaged with TestDisk, another tool from the same developer, under the TestDisk name. しかし, PhotoRec is included within the archive.

    To start PhotoRec, open the qphotorec_win.exe file. No installation is necessary as the program contains all required files, allowing it to run from a USB drive.

    1. My files are encrypted by ransomware, what should I do now?

    著者について

    ブレンダン・スミス

    I'm Brendan Smith, 情熱的なジャーナリスト, 研究者, および Web コンテンツ開発者. コンピュータテクノロジーとセキュリティに強い関心がある, 私は、読者がデジタル環境をナビゲートできるように教育し、力を与える高品質のコンテンツを配信することを専門としています。.

    コンピューターテクノロジーとセキュリティに重点を置く, 私は、個人や組織がデジタル時代に身を守るのを助けるために、私の知識と洞察を共有することに尽力しています。. サイバーセキュリティ原則に関する私の専門知識, データのプライバシー, ベスト プラクティスにより、読者がオンライン セキュリティを強化するために実践できる実践的なヒントやアドバイスを提供できます。.

    コメントを残す