What is Qinynore?
The Qinynore trojan is destructive and malicious ransomware first discovered in September 2018. It is a variant of the Hidden Tear malware strain, an open-source trojan virus that has been modified and employed in various ransomware strains since first published to GitHub in August 2015.
The Hidden Tear software source code is still available to this day on GitHub; it began as a design project to create a ransomware-like file cryptor sample that is modifiable for specific purposes. Initially, the project was engineered with backdoor access allowing for the intentional bypass and removal of the ransomware if needed. The Qinynore variant maliciously removed this feature and instead encrypted the backdoor, making the source code extremely difficult to crack.
Qinynore only affects Microsoft Windows desktop and server products. The virus encrypts files on an infected Windows computer. It spreads via spamming and phishing campaigns using attachments with malicious embedded code. Encrypted data are modified to include the file extension “.anonymous.” Qinynore also replaces the infected computer’s desktop wallpaper with a file labeled “lol.jpg” that features an image commonly associated with the Anonymous hacking group.
Infected computers display a ransom note to the user explaining that the victim’s files have been encrypted and are being held for ransom. Instructions provide information about how to pay the ransom and the amount of time the victim has the pay it. As with most ransomware extortion, the payment demand is for bitcoin to a series of bitcoin wallets. Individuals that choose to pay the ransom are promised the decryptor tool to recover the infected files.
How does Qinynore infect users?
The Qinynore ransomware is spread through a basic spamming and emailing campaign targeting individuals, businesses, and organizations seemingly at random. Infection occurs when the targeted person inadvertently clicks to open rogue software attachments disguised within spoof emails, invoices, and Microsoft Word documents.
The ransomware also spreads through fake download sites, BitTorrent, illegitimate peer-to-peer sharing communities, and free software websites. Compared to other more advanced malware, Qinynore is a relatively primitive malware. That said, the AES-256 bit encryption method used will still effectively lock user’s files. If no backup is available and the encrypted data was indispensable, paying the ransom may be necessary to recover the files.
The ransomware targets Windows directories such as program files, all user profiles, and home drives. It targets files such as documents, music, pictures, video, and backup files.
How to protect yourself from Qinynore Ransomware
The best form of defense against any malware and ransomware is always to ensure that patch your Windows systems to the very latest security levels. Vendors like Microsoft release monthly security software updates directly from their in-house security teams who actively monitor trends in online security. Once discovered, vulnerabilities are usually patched quickly, which is why we always recommend you are running the latest version of Windows and your applications.
Ransomware such as Qinynore can only penetrate a computer network when a person activates a phishing link or malicious application. Thus, security experts and systems administrators must strongly consider the human element. Human error or ignorance is often the method used to activate the ransomware. Training staff and educating users to the risk of ransomware, how to handle phishing, whaling, and spoofing should form part of an education program compulsory to all employees.
Social engineering assessments should be conducted to test the susceptibility of personnel in opening phishing and spam email campaigns. Depending on the results of these assessments, additional training, engagement of management teams, and even dismissal could be considered for the very worst offenders.
Tips to protect yourself from Qinynore Ransomware
Below, we have compiled best practice tips on how to protect yourself from the Qinynore trojan outbreak. We recommend you follow these steps:
- Do not open email attachments if you do not know the sender and never share suspected emails.
- Do not open attachments from known senders until you can confirm the sender’s identity. This is achievable using verification tools in Microsoft Exchange and Outlook.
- Keep your antivirus software and operating system up to date; this is often the first line of defense on your computer system against ransomware.
- Back up your data often and keep your backups in a secure offsite location.
- Limit user account privileges and deny users the ability to install software on their laptop or computer system.
- Educate employees to stay informed and aware of the latest cybersecurity threats.
- Use multi-factor authentication; this can prevent the spread of malware around the computer network.
I’m infected by Qinynore Ransomware – What do I do?
We do not recommend that anyone automatically pays the ransom to recover your files, even if your critical data are infected. Paying ransoms can reinforce to threat actors that victims will pay and that spreading ransomware is profitable.
All other options should be carefully explored; ransom should only be paid as a last resort.
Several steps can be completed to remove the malware or get your files back. The best option is to restore your system from a good backup. This will roll back the system to a state prior to the infection, allowing you time to update your AV, patch the operating system, and delete the offending emails.
If no good backup is available, sometimes rolling back your system to a restore point before the ransomware infection is still possible. If you implement Volume Shadow Copies, you might be able to restore previous, unencrypted versions of your files.
For many years now, some strains of ransomware have deleted Volume Shadow Copies and restore points to prevent this restoration process from succeeding; however, with Qinynore, this process does not typically occur, allowing you to recover the system.
Tetra Defense (formerly Gillware) prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers about what happened.
Our teams are standing by to focus on what matters most: your business! We will survey the ransomware outbreak and perform an initial assessment; this will identify the course of action needed to fix the ransomware. We can, as a last resort, conduct ransom negotiation and, if necessary, can facilitate payment.
We remove the threat from your system and conduct malware scans and network threat hunting. Each incident is thoroughly investigated to learn from the ransomware attack. We work with you to discover the root cause of the event and to determine if any data was compromised or exfiltrated. Once the decryption keys are obtained, we decrypt the data and get systems restored to full functionality as quickly as possible.
Get Help with Qinynore Ransomware
If you’re ready to get help removing Qinynore ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.