Remove Qwex Ransomware (+File Recovery)

How to Remove Qwex Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail backdata@qq.com
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to theese e-mails:dta@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There’s a new ransomware, plaguing users. And, it goes by the name Qwex. It derives from the extension, you get stuck with, after it strikes. Let’s elaborate. Qwex is a new variant of the Dharma menace. It uses slyness to invade your system, then corrupts it. The tool uses cryptography algorithms to lock your data, and take it hostage. It encrypts every single file, you have. And, demands payment for their release. It’s a classic ransomware extortion scam. Once the tool settles on your system, its programming kicks in. You discover your archives, photos, videos, documents, everything, locked. A picture called ‘yes.jpg‘ turns into ‘yes.jpg.id-1E857D00.[backdata@qq.com].qwex.’ After the extension is in place, that’s it. Your data gets rendered inaccessible. And, the only way to change that, is via unique decryption key. Of course, to get it, you have to pay the price. The exact ransom amount isn’t specified. But it tends to be in Bitcoin, and varies anywhere between $500 and $1000, or even more. There’s no limit to the greed of the cyber kidnappers. Don’t forget that. You’re dealing with malicious extortionists. Cyber criminals, who wish to profit off of you. Ask yourself. Can you trust these people to keep their word, and follow through with their promises? The answer is ‘No.’ You can’t. So, don’t! Don’t sen these people a dime. Don’t contact them. Compliance is a risk that brings no positives, so don’t take it.

How did I get infected with?

Ransomware, like Qwex, are pretty sneaky. They turn to the usual trickery, when it comes to invasion. Hiding behind freeware, spam emails, corrupted torrents, fake updates. They have quite a few options to choose from, and try to invade. It’s up to you to prevent the tool’s success. Here’s the thing. These types of threats need your carelessness to infiltrate. They need you to rush, and give into naivety. To leave your fate to chance, and not do any due diligence. They need you to choose carelessness over caution. Don’t. Vigilance helps you catch infections in the act of attempting invasion. And, prevent them from doing so. The lack thereof leads to them slipping by you, unnoticed. Carelessness has consequences. Make sure to take your time, and be thorough. Even a little extra attention can save you a ton of troubles.

Why is Qwex dangerous?

Once Qwex places your files under lock-down, it leaves you a not. It’s a text file, called “FILES ENCRYPTED.txt.” And, it contains instructions for you to follow. It’s pretty standard. The tool explains your situation, and gives you a way out. Supposedly, if you complete its requests, you’ll get your files unlocked. It wants you to contact the cyber kidnappers via email. The same one, you can see in the extension. It expects you to write them within the first 24 hours of encryption. And, claims that, if you do, you’ll pay less. The ransom amount increases the more time passes. That’s yet another tactic to get you to act against your best interests. Do NOT fall for it, and don’t pay! There aren’t enough ways to stress that! Think about it. You have ZERO guarantees that compliance gets you anything. All, you have to go on is the extortionists’ promise. “Free decryption as guarantee.” That’s hardly enough. Examine your options. If you pay the price, you’re left waiting to get the decryption key. What if you don’t? Or, what if you get one that fails to work? And, even if you get the right one, don’t rejoice. You paid to remove a symptom, not the infection. So, even if you do unlock your data, the ransomware still lurks on your PC. And, it’s free to strike again, and put you back to square one. Heed experts’ advice. Don’t pay the ransom.

Qwex Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Qwex Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Qwex encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Qwex encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.