The variant qkG targets Microsoft Office documents and infects Microsoft Word’s default template, normal.dot, upon which all new, blank Word documents are based. This ransomware is written entirely in Visual Basic for Applications (VBA) macros and encrypts opened files using a XOR cipher. It utilizes the onClose function to execute the malware whenever a user closes a file. Once the file is closed, qkG lowers several Office security settings to automatically execute macros and disable Protected View. QkG encrypts the document’s contents and appends a ransom note within the file which contains a Bitcoin address and contact email. An encryption key of I’m QkG@PTM17! by TNA@MHT-TT2 is also added to the infected document.
Image source: Bleeping Computer