Cyber Security Center

Cndqmi ransomware removal


Cndqmi ransomware is another ransomware from the Snatch ransomware family. It’s a dangerous piece of malware that encrypts files, adds the .cndqmi file extension, drops a HOW TO RESTORE YOUR FILES.TXT ransom note, and demands that users pay to get a decryptor.

 

Cndqmi ransom note

Cndqmi ransomware is file-encrypting malware, meaning it will encrypt certain files on a computer. It’s a dangerous piece of malware because recovering files is not always possible. It comes from the same Snatch ransomware family as Jdokao and Hhmgzyl ransomware, about which we have already written before. Encrypted files will have the .cndqmi file extension added to them, which allows users to determine which ransomware in particular they are dealing with.

Unfortunately, there currently is no way of decrypting files for free. The cyber crooks behind this ransomware will try to sell the decryption tool for file decryption, but purchasing it is not recommended. Users should keep in mind that they are dealing with cyber criminals who will not necessarily feel obligated to help users. Countless users have received faulty decryptors, or not received one at all, thus paying the ransom is always risky.

Backup is the only completely safe way of recovering files. Users who have backups for their files should only access it after they remove Cndqmi ransomware. Otherwise, backed up files may become encrypted as well.

Is it possible to recover Cndqmi ransomware files?

As soon as the ransomware is initiated, it will start encrypting files. Users will be able to tell which files have been encrypted by the .cndqmi file extension added to encrypted ones. For example, image.jpg would become image.jpg.cndqmi. Once the files have been encrypted, a ransom note HOW TO RESTORE YOUR FILES.TXT will be dropped. The ransom note will explain that files have been encrypted and that contacting the cyber crooks behind this ransomware is necessary to get the decryptor. The note shows 1rest0re@protonmail.com and 1rest0re@cock.li as the contact email addresses. The ransom sum is not specified in the note, presumably cyber crooks would inform each victim individually via email. Victims are given 48 hours to contact the crooks.

Here is the Cndqmi ransomware ransom note:

Hello! All your files are encrypted and only I can decrypt them.
Contact me:

1rest0re@protonmail.com or 1rest0re@cock.li

Write me if you want to return your files – I can do it very quickly!
The header of letter must contain extension of encrypted files.
I’m always reply within 24 hours. If not – check spam folder, resend your letter or try send letter from another email service (like protonmail.com).

Attention!
Do not rename or edit encrypted files: you may have permanent data loss.

To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups)

HURRY UP!
! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

But as we said above, paying the ransom is risky. There really are no guarantees, since cyber criminals can just take the money. But unfortunately, no other way of decrypting files exists at the moment. Malware researchers do release ransomware decryptors for free occasionally but it’s not always possible for all ransomware. And there are many fake decryptors promoted on unsafe sites and forums so users should be very careful. Users should only trust reliable sources like NoMoreRansom or Emsisoft, as well as malware researchers like Michael Gillespie to provide legitimate decryptors.

If users have backup, they should be able to recover files with no issue. But it’s important that the ransomware is not present when backup is accessed as otherwise, those files may become encrypted as well.

Ransomware distribution

It’s usually users with bad habits that end up infecting their computers with ransomware or other malware. Those bad habits include opening email attachments without double checking, downloading torrents and software cracks, interacting with ads while on high-risk websites and so on. By simply being more attentive users can avoid a lot of malware.

Spam email remains one of the most popular methods to spread malware. Users whose email addresses were leaked will often be targets of spam email campaigns that have malware attached. Simply opening the malicious file could initiate the malware. But fortunately, as long as users know what to look for, they should be able to spot a malicious email and avoid an infection. One of the most obvious signs is the sender’s email address. If the sender claims to be from some legitimate company/organization but their email address is random and unprofessional looking, it’s spam. Other signs include an abundance of grammar and spelling mistakes, and pressure to open the attachment. Because some spam may be more sophisticated, it’s a good idea to always scan unsolicited email attachments with anti-virus software or VirusTotal.

It’s no secret that malware can often be encountered on torrent sites and forums promoting pirated content. They are usually not regulated properly, which allows cyber crooks to easily upload malware disguised as a movie, game, episode of a TV series, etc.

How to delete Cndqmi ransomware

It’s suggested to use anti-malware software to delete Cndqmi ransomware because manual removal would only bring more trouble. Unfortunately, Cndqmi ransomware removal does not mean files will be decrypted. Decryption is only possible with a special decryption tool.

Cndqmi ransomware is detected as:

  • Win64:Trojan-gen by AVG/Avast
  • Gen:Variant.Ransom.GoRansom.2 by BitDefender
  • Ransom.Win64.KRYGO.SMTH by TrendMicro
  • A Variant Of Win64/Filecoder.BL by ESET
  • Ransom.Snatch by Malwarebytes
  • Ransom:Win64/Snatch.A!MTB by Microsoft