A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.
It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware using GnuPG to encrypt files is not unique as it has been done in the past with
VaultCrypt and
KeyBTC, it is not something that is commonly seen.
While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services. First discovered by
MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further.
How the Qwerty Ransomware encrypts a computer
The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG gpg.exe executable, the gnuwin32 shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program.
......
......
......
......
