erqw

[Content by Gemini 2.5]

Technical Breakdown – erqw Ransomware

(STOP/Djvu sub-strain)

1. File Extension & Renaming Patterns

  • Confirmed extension added: .erqw
  • Classic renaming convention:
    OriginalName.jpgOriginalName.jpg.erqw
    (no e-mail, no ID-string in the filename; the victim’s “personal ID” is written into the ransom note only)

2. Detection & Outbreak Timeline

  • First public submissions to ID-ransomware & malware repositories: 25-27 Aug 2023.
  • Continuous, low-to-moderate volume distribution ever since; still active as of mid-2024 (new samples appear every few days).

3. Primary Attack Vectors

STOP/Djvu is installed by adware crack/botnet loaders; historically observed infection chains:

  • Masqueraded “software cracks”, “key-gens”, or “activators” for Adobe, MS Office, games, trading bots, etc., posted on YouTube comments, Discord & shady forums.
  • Pirated software on torrent sites bundled with the loader (the dropper silently fetches erqw payload from a hard-coded CDN).
  • Secondary payloads:
    – Information-stealer (RedLine/Vidar) or clipboard crypto-stealer often delivered minutes later.
    – No current evidence of automatic network propagation/EternalBlue; purely user-initiated execution.
  • RDP is NOT the normal entry point for this family, although operators will exploit exposed RDP if already stolen credentials are available.

Remediation & Recovery Strategies

1. Prevention

  • Definitively patch the true infection vector:
    – Do not launch pirated software or cracks; keep browsers/ad-blockers up-to-date to avoid poisoned search results.
  • Standard ransomware hygiene still matters:
    – 3-2-1 backups (three copies, two media, one off-line/off-site).
    – Application whitelisting or at least Windows Defender “Controlled Folder Access” in win10/11.
    – Disable Office macros, enable ASR rules “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” via Microsoft Defender.
    – Patch OS & 3rd-party software; STOP/Djvu no longer relies on CVEs, but chained info-stealers do.
    – Network segmentation & EDR in corporate environment; GPO to block executables launched from %Temp%*, %AppData%*.
    – Educate users about “free software cracks” – the single most effective control.

2. Removal / Infection Cleanup

  1. Isolate the machine (pull network cable/Wi-Fi).
  2. Collect incident data (ID from ransom note, sample hash) before cleanup.
  3. Boot into ** Safe Mode with Networking ** (keeps the malware from re-starting).
  4. Run a reputable AV/EDR full scan (Microsoft Defender, Malwarebytes, ESET, Sophos, Kaspersky, etc.).
    – Detection names: Ransom:Win32/StopCrypt (MS), Trojan-Ransom.Win32.Stop (Kaspersky), etc.
    – Manually remove scheduled task (random GUID name) under \Microsoft\Windows\ that re-launches the payload.
  5. Delete the dropped executables (usually %AppData%\Local\Temp\winlogson.exe or similar random name).
  6. Clear Shadow-copy deletions: check vssadmin list shadows; if none, per-instance recovery is limited.
  7. Only after a confirmed-clean scan, reconnect the PC and patch all software.

3. File Decryption & Recovery

  • Universal decryption is NOT possible – erqw uses a secure offline key + online key pair (RSA-2048).
  • HOWEVER, if servers seized in future takedown publish the master RSA key, Emsisoft can and will add it to the free STOP/Djvu decryptor (https://emsisoft.com/ransomware-decryption-tools/stop-djvu).
    – Run the tool, choose a pair of original/encrypted files; if it reports “Unknown offline ID” → no key yet.
  • File–repair alternatives in case no key exists:
    Media repair utilities (photorec, Stellar, DiskTuna) can reconstruct JPG/MP4 from file headers when the ransomware only encrypted the first 150 KB, but this works largely for media ≥ 2 MB created before Aug 2019 – most 2023+ (including erqw) use full encryption.
    – Examine cloud sync (OneDrive, Google Drive “version history”), attached USB drives not connected at time of infection, and Windows’ built-in “File History” backups.
    Paying ransom ($490–$980 in BTC) provides no guarantees; wallet clustering shows only ~25 % of paying STOP victims receive a working key.

4. Other Critical Information / Wider Impact

  • Ransom note file is always: _readme.txt (contains e-mails [email protected] / [email protected]).
  • Victim ID shown in the note allows distinction:
    t1 + 36 hex chars ... = offline ID → one day decryptable if master key leaked.
    0261 + 36 hex chars ... = online ID → unique RSA key, impossible without operator’s help.
  • erqw packs identical functionality to earlier STOP variants (zaqi, wwhp, etc.) – only the extension & embedded public key differ.
  • Because infection is user-triggered, small-office/home-office users remain the top demographic; corporate networks are rarely hit en-masse except where users run cracks on work devices.
  • Aftermath: many victims also find crypto-wallet drain within 24 h due to bundled info-stealer—rotate all stored passwords and crypto-seed phrases post-cleanup.

Bottom line: 1) Stop cracks habit, 2) maintain off-line backups, 3) keep the free Emsisoft decryptor on hand – when the master key appears, recovery becomes trivial. Stay safe, and don’t fund cyber-crime.