STOP Ransomware

STOP Ransomware Description

STOP Ransomware ScreenshotPC security researchers received reports of ransomware attacks involving a threat known as the STOP Ransomware on February 21, 2018. The STOP Ransomware is based on an open source ransomware platform and carries out a typical version of an encryption ransomware attack. The STOP Ransomware is distributed using spam email messages containing corrupted file attachments. These file attachments take the form of DOCX files with embedded macro scripts that download and install the STOP Ransomware onto the victim's computer. Learning how to recognize phishing emails and avoiding to download any unsolicited file attachments received is one of the ways to avoid these attacks.

How to Recognize a STOP Ransomware Infection

Once the STOP Ransomware is installed onto the victim's computer, the STOP Ransomware will search the victim's drives for a wide variety of file types, generally looking for user-generated files such as images, media files, and numerous other document types. The STOP Ransomware seems to be also engineered to target Web servers since it looks for database files and similar file types usually contained in these machines explicitly. The file types that the STOP Ransomware will search for and target in its attack include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

This Week in Malware Ep 10: STOP & Zorab Ransomware Exploits Victims w/Fake Decryptor

The STOP Ransomware uses a strong encryption algorithm to make each of the victim's files inaccessible. The STOP Ransomware attack will add the file extension '.SUSPENDED' to the files it enciphers, as a way to mark the affected files.

The STOP Ransomware's Ransom Note

The STOP Ransomware demands a ransom payment by delivering a ransom note to the victim's computer. This ransom note is displayed in a text file dropped onto the victim's desktop. The file, named '!!! YourDataRestore !!!.txt,' contains the message:

'All your important files were encrypted on this PC.
All files with .STOP extension are encrypted. Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email stopfilesrestore@bitmessage.ch send us an email your !!!YourDataRestore!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[RANDOM CHARCTERS]
E-mail address to contact us:
stopfilesrestoret@bitmessage.ch
Reserve email address to contact us:
stopfilesrestore@india.com'

The people responsible for the STOP Ransomware demand a ransom payment of 600 USD to be paid using Bitcoin to a specific Bitcoin wallet address, and within 72 hours. However, contacting these people or paying the STOP Ransomware ransom may not be the best solution.

Protecting Your Data from the STOP Ransomware and Other Ransomware Trojans

The best protection against the STOP Ransomware and other ransomware Trojans is to have file backups. Computer users that have backup copies of their files can recover these files easily after an attack without having to resort to paying the ransom. A recommended security program also can prevent the STOP Ransomware from being installed in the first place.

Update December 6th, 2018 — 'helpshadow@india.com' Ransomware

The 'helpshadow@india.com' Ransomware is categorized as a comparatively small update to the code that carries the STOP Ransomware brand. The threat authors do not seem to have dedicated enough time for polishing the new variant since it scored a low infection ratio. The 'helpshadow@india.com' Ransomware was picked up by AV vendors quickly, and alerts have been issued through major social platforms and cybersecurity reports. Unfortunately, there is no possibility for free decryption yet. Users are typically compromised through a corrupted document received by email. The threat is known to erase the Shadow Volume snapshots created by Windows and attach the '.shadow' extension to the enciphered objects. For example, 'C12-H22-O11.pptx' is renamed to 'C12-H22-O11.pptx.shadow' and a ransom note called '!readme.txt' appears on the desktop. The 'helpshadow@india.com' Ransomware is likely to show the following message to the infected users:

'ALL YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
helpshadow@india.com
Reserve e-mail address to contact us:
helpshadow@firemail.cc
Your personal ID:
[random characters]'

The text shown above is used by variants released earlier than the 'helpshadow@india.com' Ransomware and the only alteration worth noting is the new emails configuration. The 'helpshadow@india.com' Ransomware is named after one of the email contacts, and the other one refers the users to the same username but on a different email platform — 'helpshadow@firemail.cc.' Both email accounts are likely to be terminated by the time this article reaches you. The chances of catching whoever is behind the helpshadow@india.com' Ransomware are not great considering that the ransomware operators use proxies, VPN services, and the TOR Network to hide their control devices. Hence, the users need to be proactive in defending their data. Step number one — install a backup program on your system; step number two — don't open files from unknown senders. Remember to export your data backups to a removable memory storage or a file hosting service.

Update December 13th, 2018 — '.djvu File Extension' Ransomware

The '.djvu File Extension' Ransomware is a new variant of the STOP Ransomware that was reported on December 12th, 2018. Computer security researchers categorize the '.djvu File Extension' Ransomware as a small update to the previous releases of the STOP Ransomware and alert that the threat is still distributed via spam emails primarily. The threat actors have been using macro-enabled documents and fake PDFs to trick the users into installing their program silently. The attacks with the '.djvu File Extension' Ransomware are almost the same as the first wave of infections in February 2018. The threat deletes the Shadow Volume snapshots and maps connected to memory drives before it encrypts the user's data. The new variant supports a different file extension, and the ransom note is altered slightly. As the name indicates, the files receive the '.djvu' suffix and something like 'Jonne-Kaiho.mp3' is renamed to 'Jonne-Kaiho.mp3.djvu.' The ransom note can be seen on the desktop as '_openme.txt' and reads:

'ALL YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
helpshadow@india.com

Reserve e-mail address to contact us:
helpshadow@firemail.cc

Your personal ID:
[random characters]'

The threat authors continue to use the 'helpshadow@india.com' and the 'helpshadow@firemail.cc' email accounts for their ransomware campaign. Do not trust the STOP Ransomware team and avoid using the fake 50% discount mentioned above. The threat actors discussed here are not known for their leniency. PC users should remove the '.djvu File Extension' Ransomware using a trusted anti-malware instrument. It is best to use backup images and backup services to recover your data.

Update January 11th, 2019 — '.tfude File Extension' Ransomware

The '.tfude File Extension' Ransomware is a version of the STOP Ransomware that came out on January 11th, 2019. The threat is classified as a version that exhibits minimal modifications compared to the original cyber-threat. The '.tfude File Extension' Ransomware is named after the only notable change in its corrupted code. The Trojan is configured to attach the '.tfude' file extension to encrypted data. The '.tfude File Extension' Ransomware continues to use standard encryption technologies and secure connections to the Command servers that prevent security specialists from offering free decryption to compromised users.

The crypto-threat at hand uses encryption technologies that government agencies and companies like Google Inc. employ to secure data transmissions. The encrypted files are displayed in the Windows explorer as generic white icons, and the programs the user has installed remain functional. However, certain database managers may not work properly since the threat encodes popular database formats. For example, 'Recent sales.pdb' is renamed to 'Recent sales.pdb.tfude.' The ransom note is loaded in the Notepad from the file '_openme.txt,' which can be found on the desktop. The '.tfude File Extension' Ransomware offers the same message as the original Trojan, but this time the threat actors are using the 'pdfhelp@firemail.cc' email account to reach out to users. There is no free decryptor available for the users, and you will need to use data backups to recover. You will need to clean the infected devices by running a complete system scan with a reputable anti-malware instrument.

Update January 23th, 2019 — 'pausa@bitmessage.ch' Ransomware

The 'pausa@bitmessage.ch' Ransomware is a file encoder malware that is produced with the STOP Ransomware Builder. The 'pausa@bitmessage.ch' Ransomware was released to PC users via spam emails in the first week of May 2018. The 'pausa@bitmessage.ch' Ransomware is perceived as a generic encryption Trojan that overwrites data on infected computers and deletes volume snapshots to obstruct recovery. The 'pausa@bitmessage.ch' Ransomware is known to use the same encryption technologies as other successful Ransomware like Cerber and Dharma to name a few. The 'pausa@bitmessage.ch' Ransomware is programmed to run from the Temp folder under the AppData directory and apply a secure AES-256 cipher to documents, video, music, databases, and ebooks. Encoded data receives the '.PAUSA' extension and something like 'Hartmann-Save me.mp3' is renamed 'Hartmann-Save me.mp3.pausa.' The ransom notification is saved as '!!RESTORE!!!.txt' to the user's desktop and reads:

'All your important files were encrypted on this PC.
All files with .PAUSA extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email pausa@bitmessage.ch send us an email your !!!RESTORE!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[random characters]
E-mail address to contact us:
pausa@bitmessage.ch
Reserve e-mail address to contact us:
pausa@india.com'

We recommend you avoid negotiations with the threat actors via the 'pausa@bitmessage.ch' and the 'pausa@india.com' email accounts. It is safer to boot data backups and clean your system with the help of a reputable anti-malware tool. Even if you pay the absurd ransom of $600, there is no guarantee you will receive a decryptor. PC users are encouraged to make data backups at least two times a month and ignore spam messages that may lead to a security compromise. AV companies support detection rules for the 'pausa@bitmessage.ch' Ransomware, but there is no free decryptor available at the time of writing.

Update January 23th, 2019 — 'waiting@bitmessage.ch' Ransomware

The 'waiting@bitmessage.ch' Ransomware is an encryption Trojan that is based on the STOP Ransomware. The 'waiting@bitmessage.ch' Ransomware was reported by compromised users on April 18th, 2018 and it appears to invade computers via corrupted Microsoft Word documents. The 'waiting@bitmessage.ch' Ransomware is recorded to encrypt photos, audio, video, and text on the infected computers. Unfortunately, the malware authors added a command to delete the volume snapshots Windows makes to protect your data. The Trojan overwrites targeted data with files that carry the '.WAITING' extension and can't e opened with software on your system. For example, 'Hartmann-Like a River.mp3' is renamed to 'Hartmann-Like a River.mp3.waiting,' and a ransom message is dropped to your desktop. The 'waiting@bitmessage.ch' Ransomware writes '!!!INFO_RESTORE!!!.txt' to the desktop and shows the following text:

'All your important files were encrypted on this PC.
All files with .WAITING extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email waiting@bitmessage.ch send us an email your !!!INFO_RESTORE!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[random characters]
E-mail address to contact us:
waiting@bitmessage.ch
Reserve email address to contact us:
waiting@india.com'

The malware does not interfere with third-party backup tools, and you should be able to boot data backups. It is recommended to avoid interaction with the threat actors via the 'waiting@bitmessage.ch' and the 'waiting@india.com' email addresses. You may be interested in exploring file hosting services if you wish to protect your data backups against network transmitted cyber threats and most Ransomware variants like the 'waiting@bitmessage.ch' Ransomware.

Update November 25th, 2019 - .zobm and .rote Extensions

Security researchers came across a couple of new variants of the STOP Ransomware on November 24 and November 25, 2019. The ransomware variants appended the encrypted files with .zobm and .rote extensions, but had an identical ransom note, named _readme.txt. The emails through which the threat actors could be reached were also the same – datarestorehelp@firemail.cc and datahelp@iran.ir.

ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-4NWUGZxdHc
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
datarestorehelp@firemail.cc
Reserve e-mail address to contact us:
datahelp@iran.ir
Your personal ID:
[random characters]

 

STOP Ransomware in 2019 and Beyond

Later in 2019, the STOP ransomware was still being used and new attack vectors were being tested. The STOP ransomware started appearing in bundles containing other forms of malware, primarily adware, that you can find on websites claiming to host cracked executables for games and software. This way, many of the ransomware's new victims turned out to be hopeful software pirates looking who got more than they bargained for.

There has also been evidence that the STOP ransomware is installing password-stealer Trojans that are able to scrape various login credentials.

The ransomware also expanded the long list of encrypted file extensions it uses. Files encrypted by the STOP ransomware now received the .rumba and .tro extensions. Thus far, little else has changed - the ransom note was still found in a file named "_openme.txt", but the ransom sum was bumped up to $980, with a reduction to $490 if the victim pays within the first 72 hours following infection.

Update March 24th, 2020 – New Variants

The threat actors behind the STOP Ransomware have been working as tirelessly in 2020 as they did in 2019, with new variants encrypting victims' files and appending them with a variety of new extensions. Some of the new extensions of the STOP Ransomware include .piny, .redl, .rooe, mmnn, .ooss, .rezm, .lokd, and .foop.

A sample of a ransom note that came with the .lokd variant contained the following text:

ATTENTION!                             

Don't worry, you can return all your files!
All your files like photos, databases, documents, and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t7m8Wr997Sf
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail ''Spam'' or ''Junk'' folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
helpdatarestore@firemail.cc
Reserve e-mail address to contact us:
helpmanager@mail.ch
Your personal ID:
[random characters]

Other emails that the threat actors have been using with these new variants include helpmanager@iran.ir and helpmanager@firemail.cc.

Technical Information

File System Details

STOP Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %SYSTEMDRIVE%\Users\PAVANELLI\AppData\Local\Temp\5F1F.exe\5F1F.exe 897,024 b5b59a34192343da2c0fc84fb3bb6b2e 2,983
2 %SYSTEMDRIVE%\Users\weerawat.o\AppData\Local\e6f3a7c5-88d6-4bfb-b173-4c38bd04efdc\97DE.tmp.exe\97DE.tmp.exe 446,464 4e8f1415dd3366f81fa3960db4cf70f9 1,768
3 %SYSTEMDRIVE%\users\administrator\appdata\local\c91d2281-49d1-471c-8716-d6db40179136\1368.tmp.exe\1368.tmp.exe 398,336 8cebee5086592386fa86f3ee5bacc0d2 1,647
4 %SYSTEMDRIVE%\users\ryan brown\appdata\local\6c1cb14b-1f04-4ecc-9b6d-32678fba87a7\9686685955.exe\9686685955.exe 863,744 5c71f8c3bb000d163fc2e63c089b35a1 1,628
5 %SYSTEMDRIVE%\users\server.server1-pc\appdata\local\c545263a-7487-4361-a662-bb9f7794250f\a395.tmp.exe\a395.tmp.exe 381,952 536f955ae69e666b44aac54c7619b9b1 1,582
6 \??\C:\USERS\S16FA~1.SUM\APPDATA\LOCAL\TEMP\3823.TMP.EXE.WPT\3823.TMP.EXE.WPT 465,920 d4fceee0f4fe0f1b50a5c957eab5151b 1,497
7 %SYSTEMDRIVE%\Users\Lenovo\AppData\Local\0e098dd2-a0e4-42ea-a204-a931f3d13513\512B.tmp.exe\512B.tmp.exe 414,720 89b1b4f3f6ec190865abaa7f61046ee5 1,254
8 %SYSTEMDRIVE%\users\fadl\appdata\local\b23a8dbc-c2b0-4b07-8934-d1c4bed24f6e\fb96.tmp.exe\fb96.tmp.exe 606,720 26349ff94731a08d669e881c66264d65 1,205
9 %SYSTEMDRIVE%\users\govind\appdata\local\424e6b7f-e965-4b52-b456-be94f7d6637a\d5e2.tmp.exe 522,240 4c1b9a14dda6a74b7abff708758d98f6 1,038
10 %SYSTEMDRIVE%\Users\meibi\AppData\Local\53db1a55-36f3-4e32-a47e-9ff58aa96983\F989.tmp.exe\F989.tmp.exe 393,216 b9072d4d8ed9207605fa633349ba8021 994
11 %SYSTEMDRIVE%\Users\administrator\AppData\Local\d0266395-b014-4ed8-b578-631ea77f3e4e\B117.tmp.exe\B117.tmp.exe 494,080 283bf952e656763a94626cac01d7bc85 978
12 %SYSTEMDRIVE%\users\pc\appdata\local\57241f6d-7256-4584-8d3d-bc831432c4cd\25b9.tmp.exe\25b9.tmp.exe 799,232 9bd737b220a4040dbcaf17f48be54a98 810
13 %SYSTEMDRIVE%\Users\Amr\AppData\Local\730020ce-08aa-4f5c-9efb-af8385fdad19\3A93.tmp.exe\3A93.tmp.exe 418,816 d5995275a4d96672ed08cc6188143a7a 773
14 c:\users\adip\appdata\local\temp\2c6b.tmp.exe 403,456 ac2dffb783aed99d77ecc2006a29d971 744
15 %SYSTEMDRIVE%\users\wael\appdata\local\ea8baec4-cbd4-4336-84ff-dda0d8f701d6\618.tmp.exe 412,672 99ba307185c56cfb6d9ea965fcfef083 719
16 %SYSTEMDRIVE%\users\jass\appdata\local\2456a31a-48fa-4fb4-9c68-0c48c3d9954e\160f.tmp.exe 436,224 3a1a3c4b4b3de474b574f48198d6e41e 647
17 %SYSTEMDRIVE%\users\uc asus-uq\appdata\local\af3e9598-3e17-43c4-b76c-a669487b4eaf\425.tmp.exe\425.tmp.exe 396,288 ba621678023996e90a12efdf423c0b07 290
18 %SYSTEMDRIVE%\users\ranaweera\appdata\local\72bea499-40e8-4171-9908-3a91f110d67f\1df7.tmp.exe\1df7.tmp.exe 654,848 ad5a82caee53510fafcdfcddfa74daae 40
19 %SYSTEMDRIVE%\users\adixx\appdata\local\a27e663f-5d4a-4976-8d39-f96c9fc766d8\5cd3.tmp.exe\5cd3.tmp.exe 430,978 1569c3b648b4c63ae39ddc2d2d91b7d5 14
20 %SYSTEMDRIVE%\users\user\appdata\local\09b3d467-2d15-441e-9d65-6b4a5d9bf509\e5cb.tmp.exe 503,751 031ff93d3e55a84f475cf0b563fe7f65 14
21 %SYSTEMDRIVE%\users\bdu\appdata\local\51f7495d-3c09-4597-8582-f09b1fd5debc\5dcc.tmp.exe 487,424 e3b973420daf30a4180f60337a2eaf90 14
22 %SYSTEMDRIVE%\users\user01\appdata\local\71e51782-6237-4e6d-a36e-d1f920af9ed9\6fa4.tmp.exe\6fa4.tmp.exe 596,423 67e8f528b4db3443a74718443a2fc788 12
23 %SYSTEMDRIVE%\users\rimusa\appdata\local\2a7db3c3-a785-4936-8d95-a80bc680c93f\cc0.tmp.exe\cc0.tmp.exe 563,722 0564489cff6c549ca82b7a470b305346 11
24 %SYSTEMDRIVE%\users\m kashif\appdata\local\532a3dc7-3a4d-47a8-8cfc-ae55ec6aedc5\c11d.tmp.exe\c11d.tmp.exe 530,887 a0eb1e740d92c51576ed117d8b6de3c5 11
25 ransomware.exe 444,928 fdc340769c3ca364f6cc7ca1be99762b 0
More files

Registry Details

STOP Ransomware creates the following registry entry or registry entries:
Directory
%ALLUSERSPROFILE%\tzjajmmqgl
%PROGRAMFILES%\3Dmarkproa
%PROGRAMFILES%\3DMarkproed
%PROGRAMFILES%\3DMarkproediot
%PROGRAMFILES%\3DMarkproedit
%PROGRAMFILES%\Blubnerg
%PROGRAMFILES%\cedfs
%PROGRAMFILES%\chrum\xon\note
%PROGRAMFILES%\company\3dmarkssdf
%PROGRAMFILES%\company\64Product
%PROGRAMFILES%\crights\file\xml
%PROGRAMFILES%\Cry\Cryp
%PROGRAMFILES%\cryptoss
%PROGRAMFILES%\crys\cry
%PROGRAMFILES%\crysp\cryq
%PROGRAMFILES%\Davai
%PROGRAMFILES%\der\supr
%PROGRAMFILES%\dera\kii
%PROGRAMFILES%\ferr\seda\sx\bin
%PROGRAMFILES%\Glary\Utilities\Settings
%PROGRAMFILES%\hop
%PROGRAMFILES%\Hyps
%PROGRAMFILES%\inner\win\bin
%PROGRAMFILES%\Innovativ\ddd
%PROGRAMFILES%\Ivp\bin
%ProgramFiles%\kiss\me
%PROGRAMFILES%\krontal
%PROGRAMFILES%\laert
%PROGRAMFILES%\laerts
%PROGRAMFILES%\Laertseer
%PROGRAMFILES%\lass\inst
%PROGRAMFILES%\lastpass\bur\tronfiles
%PROGRAMFILES%\Lawer\Xor
%PROGRAMFILES%\lawop
%PROGRAMFILES%\lawops
%PROGRAMFILES%\Marg\Cr
%PROGRAMFILES%\margin\marg
%ProgramFiles%\mroz\new\trunk
%PROGRAMFILES%\Mup\Cr
%PROGRAMFILES%\opur
%PROGRAMFILES%\Opute
%PROGRAMFILES%\Rondom
%PROGRAMFILES%\sccsd
%PROGRAMFILES%\Sir\Air
%PROGRAMFILES%\sir\xd
%PROGRAMFILES%\Tryhd
%PROGRAMFILES%\virtka
%PROGRAMFILES%\xery
%PROGRAMFILES%\youtubedown
%PROGRAMFILES(x86)%\3Dmarkproa
%PROGRAMFILES(x86)%\3DMarkproed
%PROGRAMFILES(x86)%\3DMarkproediot
%PROGRAMFILES(x86)%\3DMarkproedit
%PROGRAMFILES(x86)%\Blubnerg
%PROGRAMFILES(x86)%\cedfs
%PROGRAMFILES(x86)%\chrum\xon\note
%PROGRAMFILES(x86)%\company\3dmarkssdf
%PROGRAMFILES(x86)%\company\64Product
%PROGRAMFILES(x86)%\crights\file\xml
%PROGRAMFILES(x86)%\Cry\Cryp
%PROGRAMFILES(x86)%\cryptoss
%PROGRAMFILES(x86)%\crys\cry
%PROGRAMFILES(x86)%\crysp\cryq
%PROGRAMFILES(x86)%\Davai
%PROGRAMFILES(x86)%\der\supr
%PROGRAMFILES(x86)%\dera\kii
%PROGRAMFILES(x86)%\ferr\seda\sx\bin
%PROGRAMFILES(x86)%\Glary\Utilities\Settings
%PROGRAMFILES(x86)%\hop
%PROGRAMFILES(x86)%\Hyps
%PROGRAMFILES(x86)%\inner\win\bin
%PROGRAMFILES(x86)%\Innovativ\ddd
%PROGRAMFILES(x86)%\Ivp\bin
%ProgramFiles(x86)%\kiss\me
%PROGRAMFILES(x86)%\krontal
%PROGRAMFILES(x86)%\laert
%PROGRAMFILES(x86)%\laerts
%PROGRAMFILES(x86)%\Laertseer
%PROGRAMFILES(x86)%\lass\inst
%PROGRAMFILES(x86)%\lastpass\bur\tronfiles
%PROGRAMFILES(x86)%\Lawer\Xor
%PROGRAMFILES(x86)%\lawop
%PROGRAMFILES(x86)%\lawops
%PROGRAMFILES(x86)%\Marg\Cr
%PROGRAMFILES(x86)%\margin\marg
%ProgramFiles(x86)%\mroz\new\trunk
%PROGRAMFILES(x86)%\Mup\Cr
%PROGRAMFILES(x86)%\opur
%PROGRAMFILES(x86)%\Opute
%PROGRAMFILES(x86)%\Rondom
%PROGRAMFILES(x86)%\sccsd
%PROGRAMFILES(x86)%\Sir\Air
%PROGRAMFILES(x86)%\sir\xd
%PROGRAMFILES(x86)%\Tryhd
%PROGRAMFILES(x86)%\virtka
%PROGRAMFILES(x86)%\xery
%PROGRAMFILES(x86)%\youtubedown
File name without path
34fedwfe.exe
3fwedfe.exe
45rfedwwed.exe
45trgvdcregt.exe
4gtrecwr3t4g.exe
4rfeerwd.exe
54grfecr4bv.exe
5t4fr3dex.exe
5ygt4rfcd.exe
745rgfed.exe
brgrtv3f.exe
btevfrdcs.exe
ewfwe2.exe
ewrewexcf.exe
gtreefcd.exe
hwxfesa.exe
r44r3red.exe
retrvced.exe
rewrtrbvfd.exe
rfhi3f.exe
t4rtecf3rfe.exe
tbvgrfced.exe
tgrfet4tgrf.exe
trvecwx.exe
uyjhbv.exe
ybtvgrfcd.exe
yntbrvecd.exe
Regexp file mask
%programfiles%\fina\dowloadx.exe
%programfiles%\jack\setup.exe
%programfiles%\jack\setx.exe
%programfiles%\love\setup.exe
%programfiles%\new year\setx.exe
%programfiles(x86)%\fina\dowloadx.exe
%programfiles(x86)%\jack\setup.exe
%programfiles(x86)%\jack\setx.exe
%programfiles(x86)%\love\setup.exe
%programfiles(x86)%\new year\setx.exe

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

2 Comments

  • Michael Brady:

    has anyone been able to decrypt files with the extension .topi, I need to get my files back please

  • Yasin:

    has anyone been able to decrypt files with the extension .topi, I need to get my files back please

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.