Our research team has uncovered a new ransomware campaign we nicknamed ZQ. Its files have the “.[w_decrypt24@qq.com].zq” extension and the ransom note file named “{HELP__DECRYPT}.txt”
Multiple confirmed cases including victims in the United States, India, Poland, Brazil and Great Britain have been reported.
Our security team was quickly able to identify a flaw within the ransomware’s code that can be used to decrypt encrypted files — if you’re a victim of this ransomware, please follow the instructions below and DO NOT PAY the ransom.
Note: The ZQ decrypter to support the “.[w_unblock24@qq.com].ws” variant is now available.
Technical details
ZQ is a ransomware that encrypts victim’s files using the Salsa20 and RSA-1024 algorithms, and adds the extension “.[w_decrypt24@qq.com].zq” to files.
The ransom note contains the following text:
All of _our files are encr_pted* to decr_pt them write me to email::w_decrypt24@qq.com
Your key:
[redacted]
Notes: To use the decrypter, you need an encrypted file and original file to decrypt. In addition, the decrypter can only decrypt up to the size of the given files. E.g., encrypted/original file pair of 100MB = only files UP TO 100MB can be decrypted. More information regarding this limitation is explained in the HOWTO guide.
Download the ZQ Ransomware Decrypter here to get started.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a great (malware-free) day.