Qilin (Agenda) Ransomware: What You Need To Know

The Qilin ransomware belongs under the Agenda family. Malware of this type encrypts all user’s data on the computer (photos, documents, excel tables, audio files, videos, etc) and adds its extra extension to every file, leaving the [random_string]-RECOVER-README.txt text files in every folder containing encrypted files.

What is known about the Qilin virus?

☝️ Qilin is a Agenda family ransomware infection.

After the encryption, a file entitled, for example, “report.docx” will be turned into “report.docx.KaFnGL81v3ez”. In every directory containing the encrypted files, a [random_string]-RECOVER-README.txt text file will be created. It is a ransom money memo. Therein you can find information on the ways of contacting the racketeers and some other information. The ransom note usually contains instructions on how to purchase the decryption tool from the tamperers. That is it.

Qilin (Agenda) Summary:

Name	Qilin Ransomware
Ransomware family¹	Agenda ransomware
Extension	.random_string
Ransomware note	[random_string]-RECOVER-README.txt
Detection	Trojan:Win32/Tnega!MSR Removal, Win32:Adware-DNA [Adw] Virus Removal, Win32:Secat [Trj] Virus Removal
Symptoms	Your files (photos, videos, documents) get a .random_string extension and you can’t open them.
Fix Tool	See If Your System Has Been Affected by Qilin virus

The [random_string]-RECOVER-README.txt document accompanying the Qilin or Agenda states the following:

-- Qilin

Your network/system was encrypted.
Encrypted files have new extension.

-- Compromising and sensitive data

We have downloaded compromising and sensitive data from you system/network
If you refuse to communicate with us and we do not come to an agreementyour data will be published.
Data includes:
    - Employees personal dataCVsDLSSN.
    - Complete network map including credentials for local and remote services.
    - Financial information including clients databillsbudgetsannual reportsbank statements.
    - Complete datagrams/schemas/drawings for manufacturing in solidworks format
    - And more...

-- Warning

1) If you modify files - our decrypt software won\'t able to recover data
2) If you use third party software - you can damage/modify files (see item 1)
3) You need cipher key / our decrypt software to restore you files.
4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions.

-- Recovery

1) Download tor browser: hxxps://www.torproject.org/download/
2) Go to domain
3) Enter credentials


-- Credentials

Extension: -
Domain:
login: -
password: -(EXTRA string=same as login)

In the picture below, you can see what a folder with files encrypted by the Qilin looks like. Each filename has the random string as extension appended to it.

That is how encrypted files look.

How did my PC catch Qilin ransomware?

There is a huge number of possible ways of ransomware injection.

There are currently three most popular methods for criminals to have ransomware settled in your system. These are email spam, Trojan injection and peer networks.

If you access your inbox and see emails that look just like notifications from utility services providers, postal agencies like FedEx, Internet providers, and whatnot, but whose sender is strange to you, be wary of opening those letters. They are most likely to have a malware file attached to them. Thus it is even riskier to download any attachments that come with letters like these.
Another thing the hackers might try is a Trojan file scheme. A Trojan is a program that infiltrates into your PC pretending to be something legal. For instance, you download an installer of some program you want or an update for some software. But what is unboxed turns out to be a harmful program that encodes your data. As the update wizard can have any name and any icon, you have to make sure that you can trust the resource of the files you’re downloading. The best way is to trust the software companies’ official websites.
As for the peer file transfer protocols like torrents or eMule, the threat is that they are even more trust-based than the rest of the Internet. You can never guess what you download until you get it. So you’d better be using trustworthy websites. Also, it is reasonable to scan the folder containing the downloaded items with the anti-malware utility as soon as the downloading is complete.

How to remove ransomware?

It is important to inform you that besides encrypting your data, the Qilin virus will most likely deploy Vidar Stealer on your PC to seize your credentials to different accounts (including cryptocurrency wallets). That spyware can extract your credentials from your browser’s auto-filling data.

How to avoid ransomware infection?

Qilin ransomware doesn’t have a endless power, neither does any similar malware.

You can armour your system from its attack within three easy steps:

Never open any letters from unknown senders with unknown addresses, or with content that has likely no connection to something you are expecting (can you win in a lottery without even taking part in it?). If the email subject is likely something you are waiting for, check all elements of the dubious email carefully. A fake email will surely have a mistake.
Do not use cracked or untrusted programs. Trojan viruses are often distributed as an element of cracked products, most likely as a “patch” preventing the license check. But untrusted programs are difficult to tell from trustworthy software, as trojans sometimes have the functionality you need. Try to find information on this software product on the anti-malware forums, but the optimal solution is not to use such programs at all.

FAQ

🤔 Is it possible to open encrypted files?

Negative. That is why ransomware is so frustrating. Until you decode files you will not be able to access them.

🤔 The encrypted files are very important to me. How can I decrypt them quickly?

It’s good if you have fаr-sightedly saved copies of these important files elsewhere. If not, there is still a function of System Restore but it needs a Restore Point to be previously saved. All other solutions require time.

🤔 What should I do if the Qilin malware has blocked my PC and I can’t get the activation key.

🤔 What can I do right now?

Some of the blocked data can be found elsewhere.

If you sent or received your important files through email, you could still download them from your online mail server.
You might have shared images or videos with your friends or relatives. Just ask them to give those pictures back to you.
If you have initially downloaded any of your files from the Internet, you can try downloading them again.
Your messengers, social media pages, and cloud storage might have all those files as well.
It might be that you still have the needed files on your old computer, a portable device, phone, flash memory, etc.

USEFUL TIP: You can employ file recovery programs² to get your lost data back since ransomware encodes the copies of your files, deleting the original ones. In the video below, you can learn how to use PhotoRec for such a restoration, but be advised: you won’t be able to do it before you remove the ransomware itself with an anti-malware program.