Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.

The good news is that this ransomware is still under development and has not made any victims in the real world just yet.

Trend Micro security researcher Jaromir Horejsi spotted qkG at the start of the month in the mountain of suspicious files uploaded to Google's VirusTotal file scanner each day.

How qkG works

qkG is an oddity on the ransomware scene because it works very differently from similar threats. A typical qkG infection goes through the following steps:

Step 1: User downloads and opens infected Word document.

Step 2: User clicks "Enable Editing" button which allows the execution of macro scripts, which in this case is VBA code attached to the document.

qkG is entirely contained within the macro script, an oddity, since most ransomware threats only use macros to download and run their main binary.

Step 3: The qkG code runs, but nothing happens. This is because qkG uses the onClose function to execute the malicious part of the macro code (the actual qkG ransomware) when the user closes the Word file.

The qkG author might have gotten inspiration from a Locky campaign that took place over the summer that also used the onClose function inside Word macro scripts to download and run the Locky ransomware.

Step 4: The malicious code that runs after the user closes the infected Word file does the following:

⇛ Lowers several Office security settings so macros are executed automatically and Protected View is deactivated.
⇛ Appends the qkG ransomware malicious code to, the standard template for all Word documents.
⇛ Scrambles the current document's content with a simple XOR cipher.
⇛ Appends a ransom note at the end of the current document. It does not change the document's name or file extension. The ransom note looks like in the image below.

qkG ransom note

Self-replicating behavior poses a problem

The biggest problem with qkG is that it modifies the template and appends a copy of itself to it. This means that whenever users start Word again, the modified template with the malicious code is loaded and executed, running the ransomware with any other file users open, encrypting those files as well.

If the user shares one of these documents with other users, if they enable macros, they will infect their Word instance as well.

The good news is that the XOR-based encryption is trivial to bypass. Current versions of the qkG ransomware come with a hardcoded decryption key of "I’m QkG@PTM17! by TNA@MHT-TT2".

qkG is a work in progress

In Trend Micro's qkG report, Horejsi says he spotted different versions of this ransomware uploaded over time on VirusTotal.

Each version contained new features, some of which are now being used by the latest version, while others remained inactive, or have been removed.

It is quite evident that qkG is an in-dev ransomware because first versions didn't even include a Bitcoin address where users could pay the ransom fee.

Subsequent versions added a decryption routine, but this was never activated in the code. This means that if qkG would infect real-world users, the ransomware wouldn't be able to decrypt infected files.

Another feature that was never activated is an encryption routine that targeted data stored in the user's clipboard. One other qkG version only encrypted files at a specific day of the week and at a specific time.

Author based in Vietnam?

Based on evidence Horejsi found in the qkG samples, the malware author goes by the name of TNA-MHT-TT2 and appears to be based in Vietnam.

qkG code contained Vietnamese words and the qkG samples were all uploaded on VirusTotal by a user with a Vietnamese IP address.

While qkQ has not been seen in live infections just yet, "qkG’s unique use of malicious macros is still notable," according to Horejsi, "and like other ransomware families, we expect this technique to be rehashed, broadened, and repurposed for other cyberattacks."

Image credits: Yuvika Koul, Satisfactory, Bleeping Computer, Trend Micro