What is Sqpc file (.Sqpc file extension)
.Sqpc file extension is an extension that is associated with a new variant of dangerous ransomware called STOP (Djvu). Although ‘Sqpc’ variant was released recently, many users have already encountered a result of its malicious activity. It encrypts files located on the computer, and renames them appending .sqpc extension to their name. All encrypted files become useless, their contents cannot be read without decryption. The criminals behind this ransomware demand a ransom in exchange for a unique key and decryptor, which can decrypt the files and restore access to their contents. Fortunately for all victims, a free Sqpc File Decrypt Tool is available that can decrypt .sqpc files. Scroll down to learn more about this decryptor and all ways to recover encrypted files.
What is Sqpc ransomware
Sqpc ransomware is a new malware that belongs to the STOP ransomware family. It encrypts files using a strong encryption algorithm. The virus uses a long key to encrypt files. This key is unique for each victim, therefore it excludes the possibility of using the same key to decrypt files on different computers. In some cases, when the virus cannot establish a connection to its command server (C&C), it uses the so-called ‘offline key’. This key is the same for all victims. And most importantly, the security researchers have found a way to determine this key.
Sqpc does not encrypt absolutely all files, as it will cause the computer to stop working. Therefore, it skips and does not encrypt Windows system files as well as files with the name ‘_readme.txt’. All other files on the victim’s computer will be encrypted. It makes no difference where the files are located, on a hard drive or cloud storage. If at the time of the ransomware attack a disk was connected to the computer, then all the files on it can be encrypted. In addition to the fact that Sqpc virus does not matter where the files are located, it also does not matter what type of files they are. Files of all common types can be encrypted, including the following:
.itm, .sum, .wbz, .bay, .wpl, .dwg, .crw, .rar, .kdb, .layout, .tor, .pfx, .wma, .lrf, .sav, .pem, .ysp, .iwd, .wpt, .hkdb, .dxg, .rtf, .wcf, .srw, .wire, .wbd, .ppt, .slm, .wgz, .hkx, .sql, .ibank, .itl, .wb2, .wsd, .jpeg, .mdbackup, .txt, .cr2, .menu, .zip, .wmf, .xyw, .flv, .kdc, .pkpass, .iwi, .m4a, .zi, .wp5, .ff, .esm, .png, .wn, .wp4, .webdoc, wallet, .ncf, .x3f, .apk, .epk, .hplg, .wmv, .cdr, .rb, .xxx, .desc, .0, .arw, .zw, .1, .qdf, .pdd, .m3u, .db0, .forge, .r3d, .wbk, .wpd, .fos, .docm, .wri, .js, .3ds, .mdf, .wmv, .zdb, .p7c, .eps, .wpg, .pdf, .xyp, .wbmp, .mrwref, .xls, .odp, .lvl, .xlsx, .z, .ods, .sidn, .xlsm, .wp6, .bkf, .icxs, .cas, .ntl, .wp7, .mdb, .sidd, .xbdoc, .p7b, .yml, .gdb, .x3f, .7z, .zabw, .arch00, .pef, .xlsm, .wmo, .tax, .t13, .kf, .litemod, .xml, .xf, .map, .odm, .xx, .orf, .crt, .1st, .itdb, .erf, .bkp, .blob, .bc7, .psd, .fpk, .re4, .xmmap, .cfr, .big, .xbplate, .upk, .wsc, .syncdb, .wpw, .rim, .m2, .mov, .xlsb, .mpqge, .dazip, .indd, .d3dbsp, .css, .dbf, .mef, .hvpl, .bik, .vdf, .y, .qic, .xls, .avi, .z3d, .vtf, .xld, .srf, .3dm, .xdl, .ltx, .p12, .snx, .dng, .bc6, .xlk, .wbm, .dcr, .sr2, .mp4, .raw, .svg, .yal, .wdb, .dba, .xy3, .lbf, .ai, .zip, .sb, .w3x, .2bp, .accdb, .xlgc, .das, .wpe, .ybk, .docx, .wmd, .vfs0, .webp, .asset, .bar, .ws, .pak, .wps, .rwl, .t12, .vpk, .xar, .x3d, .fsh, .jpg, .wav, .der, .wotreplay, .pst, .xdb, .wp, .wpb, .odt, .mlx, .sie, .zdc, .csv, .wdp, .wps, .gho, .bsa, .sid, .odc, .vpp_pc, .cer, .xmind, .vcf, .xlsx, .doc, .wm, .wpa, .psk, .nrw, .pptm, .3fr, .jpe, .py, .ztmp, .sis, .wbc, .x, .rgss3a, .zif, .pptx, .wma, .xpm, .dmp, .raf, .mddata, .mcmeta, .ptx, .wot, .xwp, .wpd
When the process of encrypting the victim’s files is completed, all documents, databases, pictures and other files will be encrypted and thus the contents of these files will be locked. All encrypted files will receive a new name, which consists of their old name and the extension ‘.sqpc’ added to the right. This means literally the following, if the non-encrypted file had the name ‘document.docx’, then after encryption it will be called ‘document.docx.sqpc’. Sqpc virus places files called ‘_readme.txt’ in each folder where there is at least one encrypted file. The contents of such a file are shown in the image below.
This file contains a message from Sqpc authors. They inform the victim that the files on the computer were encrypted and offer him to buy a unique key and decryptor. According to them, this is the only way to decrypt files encrypted by the ransomware and thus restore access to their contents. The criminals demand $980 from the victim, but agree to take half the amount if the victim transfers it within 72 hours. Since the attackers understand that no one trusts their words, they offer the victim to decrypt one file for free. The main requirement for this file, it should be small and not contain important information. Nevertheless, all security experts warn victims of Sqpc virus; successful decryption of one file does not guarantee anything at all. There is no guarantee that payment of the ransom will become a way to decrypt the files encrypted by the ransomware.
Threat Summary
Name | Sqpc ransomware |
Type | Filecoder, Crypto virus, File locker, Ransomware, Crypto malware |
Encrypted files extension | .sqpc |
Ransom note | _readme.txt |
Contact | helpmanager@mail.ch, restoremanager@firemail.cc |
Ransom amount | $980,$490 in Bitcoins |
Detection Names | Trojan:Win32/GenKryptik.8d09f260, Trojan.Ransom.Stop, Gen:NN.ZexaF.34108.0qW@aaWaQBPG, Trojan.GenericKDZ.67009 (B), Win32/Kryptik.HDEH, Generic.mg.2cc70c4beed0ba6d, Trojan.Malware.300983.susgen, Trojan:Win32/Occamy.AA, Generic/HEUR/QVM10.2.0E4E.Malware.GenTrojan.Win32.Z.Agent.855552.ABV, Trojan-Ransom.Win32.Stop.mp |
Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. All of your files have a odd file extension appended to the filenames. Files named like ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Ransom demanding message on your desktop. |
Distribution methods | Malicious spam (also known as ‘malspam’). Drive-by downloads (crypto virus has the ability to infect the machine simply by visiting a webpage that is running harmful code). Social media, like web-based instant messaging applications. Torrent web pages. |
Removal | Sqpc ransomware removal guide |
Decryption | Sqpc File Decrypt Tool |
Criminals do not lie, claiming that encrypted files cannot be decrypted without a key and decryptor. Security researchers confirm the words of the attackers said in the ransom demand message. The contents of the affected files are encrypted. But the files are not fully encrypted, but only the first 154kb of their contents. This can help the victims almost nothing, the only thing, since the files are not fully encrypted, the victim can restore files from large archives. It is enough to simply rename the encrypted file by removing the .sqpc extension and open this file in the archiver, after which simply extract the desired file from the archive.
Fortunately, there is a free Sqpc File Decrypt Tool that can decrypt .sqpc files. This decryptor has one limitation; it can decrypt files encrypted with an offline key. If files are encrypted with an online key, then they cannot be decrypted yet, since there is no way to determine this key. In the case when files are encrypted with an online key, the victim can use alternative methods that do not involve the use of a key and a decryptor. These methods for recovering encrypted files are described in section ‘How to restore .sqpc files’ below.
How to remove Sqpc ransomware virus
Attention, the first thing you should do is scan the infected computer for malware, find and remove Sqpc ransomware components. Do not try to immediately start decrypting files, skipping the first step, you risk losing all your files. To remove Sqpc ransomware virus, we recommend using free malware removal tools. Some of them, with brief instructions, are given below. If you have an antivirus, then perform a full scan using it, then use the tools listed below. Each of these tools can detect and remove various malware, including ransomware, but these tools cannot recover and decrypt files. To decrypt .sqpc files, you need to complete this step, and then go to step 2.
Remove Sqpc virus with Zemana AntiMalware (ZAM)
Zemana Anti-Malware is one of the best in its class, it can look for and remove a huge number of of various security threats, including worms, ransomware, adware, trojans, spyware and malware that masqueraded as legitimate computer programs. Also Zemana Anti Malware includes another tool called FRST – is a helpful application for manual removal of files and parts of the Windows registry created by crypto malware.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of Zemana Free.
164107 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, close all software and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup such as the one below.
When the installation starts, you will see the “Setup wizard” that will allow you set up Zemana Anti Malware on your computer.
Once install is complete, you will see window as shown on the screen below.
Now click the “Scan” button to begin scanning your system for the Sqpc ransomware, other kinds of potential threats like malware and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC and the speed of your personal computer. While the Zemana Free is checking, you can see number of objects it has identified either as being malicious software.
When the checking is finished, Zemana Anti-Malware (ZAM) will open you the results. In order to delete all threats, simply click “Next” button.
The Zemana will uninstall Sqpc crypto malware and other security threats and move the selected threats to the Quarantine.
Remove Sqpc ransomware virus with MalwareBytes Free
Remove Sqpc ransomware manually is difficult and often the crypto malware is not fully removed. Therefore, we suggest you to run the MalwareBytes Anti-Malware (MBAM) which are fully clean your personal computer. Moreover, this free application will help you to delete malicious software, PUPs, toolbars and adware software that your personal computer may be infected too.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of MalwareBytes.
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is complete, close all windows on your personal computer. Further, open the file called MBSetup. If the “User Account Control” prompt pops up as shown in the following example, press the “Yes” button.
It will display the Setup wizard that will allow you set up MalwareBytes Free on the PC. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, click “Get Started” button. Then MalwareBytes will automatically run and you can see its main window as displayed on the screen below.
Next, press the “Scan” button for checking your PC system for the Sqpc ransomware virus, other malicious software, worms and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC. While the tool is scanning, you can see number of objects and files has already scanned.
Once finished, MalwareBytes AntiMalware will produce a list of unwanted programs and ransomware. When you’re ready, click “Quarantine” button.
The MalwareBytes AntiMalware (MBAM) will delete Sqpc crypto malware and other security threats. Once the procedure is finished, you may be prompted to restart your system.
Remove Sqpc crypto virus with KVRT
If MalwareBytes anti malware or Zemana anti malware cannot delete this crypto virus, then we advises to use Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for ransomware, worms, spyware, trojans, adware software, PUPs and other malware.
Download Kaspersky virus removal tool (KVRT) from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the KVRT icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your system for the Sqpc crypto virus and other known infections. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the Kaspersky virus removal tool program is checking, you may see how many objects it has identified as threat.
Once KVRT has finished scanning your PC system, you can check all threats found on your personal computer like below.
You may remove items (move to Quarantine) by simply press on Continue to start a cleaning procedure.
How to decrypt .sqpc files
Files with the extension ‘sqpc’ are encrypted files. To decrypt .sqpc files, you need to use a decryptor and a unique key. Fortunately, there is a free Sqpc File decrypt Tool that can decrypt the encrypted files. Sqpc File Decrypt Tool is compatible with all modern versions of the Windows OS and can decrypt files regardless of their size and type.
To decrypt .sqpc files, use Sqpc File decrypt Tool
- Download Sqpc File Decrypt Tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we said above, the Sqpc ransomware can use two types of keys to encrypt files: online keys and offline keys. Emsisoft company found a way to determine offline keys, so at the moment the Sqpc File decrypt Tool can only decrypt files encrypted with offline keys. If the files are encrypted with an online key, then they cannot be decrypted yet, since only the authors of the ransomware have the encryption key.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .sqpc files. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Sqpc virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Sqpc ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Sqpc File Decrypt Tool : No key for New Variant offline ID
If during decryption of .sqpc files the Sqpc File Decrypt Tool reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .sqpc files from time to time. You can also use alternative ways listed below for recovering encrypted data.
Sqpc File Decrypt Tool : No key for New Variant online ID
If, when you try to decrypt .sqpc files, the Sqpc File Decrypt Tool reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Sqpc authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .sqpc files
Fortunately, there are some alternative ways to recover encrypted files. Each of them does not suggest the use of a decryptor and a key, so these methods will suit all victims regardless of which key Sqpc virus used to encrypt files. In addition, the use of these methods will not affect in any way the decryption of files using a free decoder. The only thing is that before you proceed with file recovery, be sure to check your computer for malware using free malware removal tools, you need to be 100% sure that the ransomware has been completely removed.
Restore .sqpc encrypted files using Shadow Explorer
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by Sqpc crypto malware from Shadow Copies for free.
First, click the following link, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438813 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, extract the downloaded file to a folder on your machine. This will create the necessary files like the one below.
Launch the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you want to restore files (folders) from such as the one below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown on the image below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Run PhotoRec to recover .sqpc files
The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
Download PhotoRec by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder such as the one below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed on the screen below.
Select a drive to recover as displayed on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed in the figure below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as displayed in the figure below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your PC from Sqpc ransomware
Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Desktop.
When the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is started, you’ll be shown a window where you can select a level of protection, as displayed on the image below.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Sqpc ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .sqpc files; how to recover files, if Sqpc File Decrypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Sqpc ransomware related issues, go to here.
is it really working? anyone tried?
Yes it really works. All programs offered to use are free and verified by security experts.