Qkg Ransomware: A New Vicious Threat To Look Out For

According to IT specialists from Trend Micro Cyber Safety Solutions Qkg Ransomware is a self-replicating and document-encrypting threat. Apparently, it targets only Microsoft Word documents, although it seems it can only encipher such data if it is opened. In other words, if you ever encounter it you should hope you will not be working with your most important documents at such moment. However, so far the malicious application appeared to be still in the development stage, and there were no reports about it being spread among computer users. It means you might still have time to learn about Qkg Ransomware and secure the system before the malware’s creators start distributing it. To achieve this, we invite you to read the rest of our article as further in it we will both explain more details about the threat and also discuss the ways how one could guard the system against it.

One of the worst things about the malicious application is that it encrypts the opened Microsoft Word document only the moment it is closed. To be more precise, the user may have to open such a file again to realize it has been enciphered. As a consequence, the infected data then can be unknowingly sent to another user, and upon its launch, the other computer would get infected too. The question is how the document gets affected in the first place?


Researchers say Qkg Ransomware is “one of the few file-encrypting malware written entirely in Visual Basic for Applications (VBA) macros.” Plus, it appears to be “one of the few that uncommonly employs malicious macro codes.” Macro is a programming language that can be embedded inside an application and programs like Microsoft Word allow macro programs to be inserted in documents so when they are opened the macro gets launched automatically. Once, the victim launches Qkg Ransomware’s macro; it gets Microsoft Word security settings reduced and then infects the Microsoft Word Normal Template (normal.dot) which is used for all new blank documents. Then the malicious application should create a particular macro command to make the infected files carry a copy of it set to autostart with the launch. This is how new devices can get infected.

Furthermore, as it was explained earlier the document should get enciphered only after being closed, although there were other malware’s versions that encrypted the text on a set day and time instead. Since the infection does not look finished yet; later there could be different variations as well. The Trend Micro Cyber Safety Solutions IT specialists who learned about the threat first are saying Qkg Ransomware encrypts the document’s contents with “a very simple XOR cipher.” This could change in the future, but for now, the used encryption key is always the same and apparently it is even included in each enciphered document.

Unlike other malicious file-encrypting applications, Qkg Ransomware does not change encrypted file’s title or mark it with an additional extension. In fact, it does not even create a document or an image to show its victim a ransom note. Instead, the malware places a short message among the enciphered Microsoft Word document’s contents. It would seem the asked price for a single file’s decryption is 300 US dollars. As usual, the hackers behind the infection ask it to be paid in Bitcoins as they provide a particular Bitcoin wallet address. Needless to say, there are no guarantees these people would keep up with their promise and deliver decryption tools. Thus, provided the threat starts distributing, we would advise its victims not to take any chances.

On the other hand, there is something all users can do to protect their data in case of an emergency, such as encountering Qkg Ransomware or other malicious applications alike. What we have in mind is regular data backups. The copies can be stored on removable media devices, cloud storage, etc. There are even programs that backup user’s files automatically, so there are quite a few options to choose from. Additionally, it is advisable to strengthen the computer itself because it is more difficult to infect a system when it has fewer vulnerabilities. First of all, it would be a good idea to change weak passwords and update the operating system or other outdated software. Then you should always be cautious with Spam emails or other unreliable files downloaded from the Internet. Lastly, another thing that could help users keep their systems secure would be a legitimate antimalware tool. Just do not forget such a tool must always be up to date just like the rest of the software or else it may not be able to recognize newer threats.


  1. Jaromir Horejsi. qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware. The Trend Micro Cyber Safety Solutions.
  2. Macro virus. Wikipedia.