GAQQ Virus File Decrypt & Removal

by Brendan Smith
July 23, 2023
The GAQQ virus is a STOP/DJVU family of ransomware-type infections. This virus encrypts your files (video, photos, documents) that can be tracked by a specific “.gaqq” extension. It uses a strong encryption method, which makes it impossible to calculate the key in any way.

The Gaqq ransomware employs a unique key for each victim, with one exception:

  • If Gaqq fails to establish a connection with the command and control server (C&C Server) before initiating the encryption process, it resorts to the offline key. This particular key is shared among all victims, offering the possibility of decrypting files affected by a ransomware attack.
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

I have compiled an extensive list of potential solutions, tips, and best practices to neutralize the Gaqq virus and recover encrypted files. Depending on the circumstances, file recovery may be either straightforward or impossible.

What is Gaqq virus?

GAQQ

đŸ€” GAQQ virus is ransomware that originates from the DJVU/STOP family. Its primary purpose is to encrypt files that are important to you. After that ransomware virus asks its victims for a ransom fee ($490 – $980) in Bitcoin.

The Gaqq ransomware is a specific kind of malware that encrypted your files and then forces you to pay to restore them. The image below gives a clear vision of how the files with “.gaqq” extension look like:

Gaqq Virus - encrypted .gaqq files

Gaqq File (STOP/DJVU Ransomware)

Name Gaqq Virus
Ransomware family1 DJVU/STOP2 ransomware
Extension .gaqq
Ransomware note _readme.txt
Ransom From $490 to $980 (in Bitcoins)
Contact [email protected], [email protected]
Detection Win32/Sality.NDH, Win32/Adware_AGen.H, Trojan:MSIL/RedLine.MC!MTB
Symptoms
  • Encrypted most of your files (photos, videos, documents) and adds a particular “.gaqq” extension;
  • Can delete Volume Shadow copies to make victim’s attempts to restore data impossible;
  • Adds a list of domains to HOSTS file to block access to certain security-related sites;
  • Installs password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer;
  • Manages to install a SmokeLoader backdoor;
Fix Tool To remove possible malware infections, scan your PC:
6-day free trial available.

This message asking payment is for restore files via decryption key:

_readme.txt GAQQ Virus

_readme.txt (STOP/DJVU Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded files contains these frustrating warnings

The Gaqq ransomware performs a series of processes on the victim’s computer, with the initial process being the launch of winupdate.exe. This deceptive process presents a fake Windows update prompt to the victim, leading them to believe that a sudden system slowdown is caused by a legitimate update. Simultaneously, another process with a randomly generated name starts scanning the system for specific files and encrypts them. Additionally, the ransomware employs the CMD command 

vssadmin.exe Delete Shadows /All /Quiet

to delete Volume Shadow Copies, eliminating the possibility of restoring the computer to a previous state using System Restore Points.

The ransomware operators intentionally remove any Windows OS-based methods that could assist victims in restoring their files without charge. Furthermore, the criminals modify the Windows HOSTS file by adding a list of domains and mapping them to the localhost IP address. Consequently, when the victim attempts to access one of the blocked websites, they encounter a DNS_PROBE_FINISHED_NXDOMAIN error.

It has come to our attention that the ransomware specifically targets websites that provide various how-to guides for computer users. This deliberate restriction of specific domains aims to hinder the victim’s access to relevant and helpful information related to ransomware attacks. The virus also generates two text files on the victim’s computer, which contain crucial details about the attack – the victim’s public encryption key and personal ID. These files are named bowsakkdestx.txt and PersonalID.txt.

Gaqq ransomware virus saves public encryption key and victim's id in bowsakkdestx.txt file

After all these modifications, the malware doesn’t stop. Variants of STOP/DJVU tend to drop Vidar password-stealing Trojan on compromised systems. This threat has a lengthy list of capabilities, such as:

  • Stealing Steam, Telegram, Skype login / password;
  • Stealing cryptocurrency wallets;
  • Downloading malware to the computer and running it;
  • Stealing browser cookies, saved passwords, browsing history, and more;
  • Viewing and manipulating files on victim’s computer;
  • Allowing the hackers to perform other tasks on the victim’s computer remotely.

The cryptography algorithm used by DJVU/STOP virus is Salsa20. So, if your documents got encrypted with an online decryption key, which is totally unique. The sad reality is that it is impossible to decrypt the files without the unique key.

In case if this virus worked in online mode, it is impossible for you to gain access to the AES-256 key. It is stored on a distant server owned by the frauds who distibute the Gaqq virus.

For receiving decryption key the payment should be $980. To obtain the payment details, the victims are encouraged by the message to contact the frauds by email ([email protected]).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-WJa63R98Ku

Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

[email protected]

Reserve e-mail address to contact us:

[email protected]

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The ransom note provides contact information for the attackers, which includes the email addresses [email protected] and [email protected]. It emphasizes the importance of reaching out to them within 72 hours to prevent the ransom fee from increasing to $980. The fee is in exchange for the decryption software and key needed to restore the encrypted files, with the original price being $490.

Furthermore, the note offers victims the option to send one encrypted file to the cybercriminals, which they will decrypt free of charge. However, it is specified that the chosen file should not contain any critical or important data.

Do not pay for ransom!

Please, try to use the available backups, or Decrypter tool

The _readme.txt file also indicates that the computer owners must get in touch with the Gaqq representatives during 72 hours starting from the moment of files were encrypted. On the condition of getting in touch within 72 hours, users will be granted a 50% rebate. Thus the ransom amount will be minimized down to $490). However, stay away from paying the ransom!

I certainly recommend that you do not contact these crooks and do not pay. The one of the most real working solution to recover the lost data – just using the available backups, or use Decrypter tool from Emsisoft.

The peculiarity of all such viruses apply a similar set of actions for generating the unique decryption key to recover the ciphered data.

Thus, unless the ransomware is still under the stage of development or possesses with some hard-to-track flaws, manually recovering the ciphered data is a thing you can’t perform. The only solution to prevent the loss of your valuable data is to regularly make backups of your crucial files.

Note that even if you do maintain such backups regularly, they ought to be put into a specific location without loitering, not being connected to your main workstation.

For instance, the backup may be kept on the USB flash drive or some alternative external hard drive storage. Optionally, you may refer to the help of online (cloud) information storage.

Needless to mention, when you maintain your backup data on your common device, it may be similarly ciphered as well as other data.

For this reason, locating the backup on your main computer is surely not a wise idea.

How I was infected?

Ransomware has a various methods to built into your system. But it doesn’t really matter what concrete way had place in your case.

Gaqq infection attack

Gaqq attack following a successful phishing attempt.

There are common leaks through which the Gaqq ransomware may be injected into your PC. These include hidden installation along with other apps, especially utilities that work as freeware or shareware. Another method is through a dubious link in spam emails that leads to the virus installer. Additionally, online free hosting resources can also be a source of injection. Lastly, using illegal peer-to-peer (P2P) resources for downloading pirated software is another way the ransomware can infiltrate your system.

Instances have been reported where the Gaqq virus disguises itself as a legitimate tool. For example, it may appear in messages demanding the initiation of unwanted software or browser updates. This is a common tactic used by online fraudsters to trick users into manually installing the Gaqq ransomware. They aim to involve you directly in the installation process.

It is important to note that the bogus update alert will not explicitly indicate that you are installing the virus. Instead, it will be disguised as an alert prompting you to update Adobe Flash Player or some other dubious program.

Cracked apps are also a potential source of damage. It is essential to understand that using P2P resources for downloading pirated software is both illegal and can result in the injection of serious malware, including the Gaqq ransomware.

To summarize, what can you do to avoid the injection of the Gaqq ransomware into your device? While there is no foolproof guarantee to prevent PC damage, there are certain precautions you can take to minimize the risk of Gaqq penetration. When installing free software, carefully read what the installers offer in addition to the main program. Exercise caution when dealing with dubious email attachments and refrain from opening files from unknown senders. Additionally, it is crucial to keep your security program up to date.

The malware operates discreetly, not openly revealing its presence. It will not appear in the list of your available programs. Instead, it disguises itself as a malicious process that runs in the background once you launch your computer.

How To Remove Gaqq Virus?

In addition to encode a victim’s files, the Gaqq infection has also started to install the Vidar Stealer on PC to steal account credentials, cryptocurrency wallets, desktop files, and more.


  1. Run the setup file.

    Run Setup.exe
    GridinSoft Anti-Malware Setup

  2. Press “Install” button.

    GridinSoft Anti-Malware Install

  3. Once installed, Anti-Malware will automatically run.

    GridinSoft Anti-Malware Splash-Screen

  4. Wait for complete.

    GridinSoft Anti-Malware Scanning for GAQQ

  5. Click on “Clean Now”.

    GAQQ Virus Files in Scan Result

About the author

Brendan Smith

Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

View all posts

Leave a Comment