EQ ransomware is another cryptovirological stain that has been discovered by malware hunters this week. Ransomware removal experts dissecting the strain has told us that the script injects a ‘twitchru.exe’ file into the affected system as soon as it infiltrates. The purpose of this file injection is to control and monitor the encryption in real time. On the other hand, the experts are still not sure about the encryption method used by the attackers.
According to some preliminary investigations, EQ ransomware encrypts every type of file on the targeted device and appends them with the extension ‘gsg’. Once the encryption is completed, a ransom note in HTML file format appears on the screen. The EQ ransomware operators haven’t mentioned the extortion amount in the note. But they have offered free decryption of one file to prove that they have the decoder for complete ransomware removal.
The second part of the note is rather interesting where the attackers warn the victims to not use any security software to attempt ransomware removal and recovery because it can lead to permanent loss of data. It is, in fact, true that employing wrong decryption method on encrypted files can lead to their corruption. So instead of wrestling with locked down files on your own, it is better to go to security experts. In addition, EQ operators also ‘advise’ the victims to not contact any third-party for ransomware removal because they can rip them off.
Experts are still working to find out whether EQ deletes the Shadow Volume Copies. The deletion of these copies means the user can’t retrieve the earlier versions of the encrypted files from within the affected device.
Compromised remote desktop protocol and phishing emails are the most common distribution systems currently used by ransomware operators. So, EQ operators will also be using either of the two.