STOP Ransomware

STOP Ransomware Description

PC security researchers received reports of ransomware attacks involving a threat known as the STOP Ransomware on February 21, 2018. The STOP Ransomware is based on an open source ransomware platform and carries out a typical version of an encryption ransomware attack. The STOP Ransomware is distributed using spam email messages containing corrupted file attachments. These file attachments take the form of DOCX files with embedded macro scripts that download and install the STOP Ransomware onto the victim's computer. Learning how to recognize phishing emails and avoiding to download any unsolicited file attachments received is one of the ways to avoid these attacks.

How to Recognize a STOP Ransomware Infection

Once the STOP Ransomware is installed onto the victim's computer, the STOP Ransomware will search the victim's drives for a wide variety of file types, generally looking for user-generated files such as images, media files, and numerous other document types. The STOP Ransomware seems to be also engineered to target Web servers since it looks for database files and similar file types usually contained in these machines explicitly. The file types that the STOP Ransomware will search for and target in its attack include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The STOP Ransomware uses a strong encryption algorithm to make each of the victim's files inaccessible. The STOP Ransomware attack will add the file extension '.SUSPENDED' to the files it enciphers, as a way to mark the affected files.

The STOP Ransomware's Ransom Note

The STOP Ransomware demands a ransom payment by delivering a ransom note to the victim's computer. This ransom note is displayed in a text file dropped onto the victim's desktop. The file, named '!!! YourDataRestore !!!.txt,' contains the message:

'All your important files were encrypted on this PC.
All files with .STOP extension are encrypted. Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email stopfilesrestore@bitmessage.ch send us an email your !!!YourDataRestore!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[RANDOM CHARCTERS]
E-mail address to contact us:
stopfilesrestoret@bitmessage.ch
Reserve email address to contact us:
stopfilesrestore@india.com'

The people responsible for the STOP Ransomware demand a ransom payment of 600 USD to be paid using Bitcoin to a specific Bitcoin wallet address, and within 72 hours. However, contacting these people or paying the STOP Ransomware ransom may not be the best solution.

Protecting Your Data from the STOP Ransomware and Other Ransomware Trojans

The best protection against the STOP Ransomware and other ransomware Trojans is to have file backups. Computer users that have backup copies of their files can recover these files easily after an attack without having to resort to paying the ransom. A recommended security program also can prevent the STOP Ransomware from being installed in the first place.

Update December 6th, 2018 — 'helpshadow@india.com' Ransomware

The 'helpshadow@india.com' Ransomware is categorized as a comparatively small update to the code that carries the STOP Ransomware brand. The threat authors do not seem to have dedicated enough time for polishing the new variant since it scored a low infection ratio. The 'helpshadow@india.com' Ransomware was picked up by AV vendors quickly, and alerts have been issued through major social platforms and cybersecurity reports. Unfortunately, there is no possibility for free decryption yet. Users are typically compromised through a corrupted document received by email. The threat is known to erase the Shadow Volume snapshots created by Windows and attach the '.shadow' extension to the enciphered objects. For example, 'C12-H22-O11.pptx' is renamed to 'C12-H22-O11.pptx.shadow' and a ransom note called '!readme.txt' appears on the desktop. The 'helpshadow@india.com' Ransomware is likely to show the following message to the infected users:

'ALL YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
helpshadow@india.com
Reserve e-mail address to contact us:
helpshadow@firemail.cc
Your personal ID:
[random characters]'

The text shown above is used by variants released earlier than the 'helpshadow@india.com' Ransomware and the only alteration worth noting is the new emails configuration. The 'helpshadow@india.com' Ransomware is named after one of the email contacts, and the other one refers the users to the same username but on a different email platform — 'helpshadow@firemail.cc.' Both email accounts are likely to be terminated by the time this article reaches you. The chances of catching whoever is behind the helpshadow@india.com' Ransomware are not great considering that the ransomware operators use proxies, VPN services, and the TOR Network to hide their control devices. Hence, the users need to be proactive in defending their data. Step number one — install a backup program on your system; step number two — don't open files from unknown senders. Remember to export your data backups to a removable memory storage or a file hosting service.

Update December 13th, 2018 — '.djvu File Extension' Ransomware

The '.djvu File Extension' Ransomware is a new variant of the STOP Ransomware that was reported on December 12th, 2018. Computer security researchers categorize the '.djvu File Extension' Ransomware as a small update to the previous releases of the STOP Ransomware and alert that the threat is still distributed via spam emails primarily. The threat actors have been using macro-enabled documents and fake PDFs to trick the users into installing their program silently. The attacks with the '.djvu File Extension' Ransomware are almost the same as the first wave of infections in February 2018. The threat deletes the Shadow Volume snapshots and maps connected to memory drives before it encrypts the user's data. The new variant supports a different file extension, and the ransom note is altered slightly. As the name indicates, the files receive the '.djvu' suffix and something like 'Jonne-Kaiho.mp3' is renamed to 'Jonne-Kaiho.mp3.djvu.' The ransom note can be seen on the desktop as '_openme.txt' and reads:

'ALL YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
helpshadow@india.com

Reserve e-mail address to contact us:
helpshadow@firemail.cc

Your personal ID:
[random characters]'

The threat authors continue to use the 'helpshadow@india.com' and the 'helpshadow@firemail.cc' email accounts for their ransomware campaign. Do not trust the STOP Ransomware team and avoid using the fake 50% discount mentioned above. The threat actors discussed here are not known for their leniency. PC users should remove the '.djvu File Extension' Ransomware using a trusted anti-malware instrument. It is best to use backup images and backup services to recover your data.

Update January 11th, 2019 — '.tfude File Extension' Ransomware

The '.tfude File Extension' Ransomware is a version of the STOP Ransomware that came out on January 11th, 2019. The threat is classified as a version that exhibits minimal modifications compared to the original cyber-threat. The '.tfude File Extension' Ransomware is named after the only notable change in its corrupted code. The Trojan is configured to attach the '.tfude' file extension to encrypted data. The '.tfude File Extension' Ransomware continues to use standard encryption technologies and secure connections to the Command servers that prevent security specialists from offering free decryption to compromised users.

The crypto-threat at hand uses encryption technologies that government agencies and companies like Google Inc. employ to secure data transmissions. The encrypted files are displayed in the Windows explorer as generic white icons, and the programs the user has installed remain functional. However, certain database managers may not work properly since the threat encodes popular database formats. For example, 'Recent sales.pdb' is renamed to 'Recent sales.pdb.tfude.' The ransom note is loaded in the Notepad from the file '_openme.txt,' which can be found on the desktop. The '.tfude File Extension' Ransomware offers the same message as the original Trojan, but this time the threat actors are using the 'pdfhelp@firemail.cc' email account to reach out to users. There is no free decryptor available for the users, and you will need to use data backups to recover. You will need to clean the infected devices by running a complete system scan with a reputable anti-malware instrument.

Update January 23th, 2019 — 'pausa@bitmessage.ch' Ransomware

The 'pausa@bitmessage.ch' Ransomware is a file encoder malware that is produced with the STOP Ransomware Builder. The 'pausa@bitmessage.ch' Ransomware was released to PC users via spam emails in the first week of May 2018. The 'pausa@bitmessage.ch' Ransomware is perceived as a generic encryption Trojan that overwrites data on infected computers and deletes volume snapshots to obstruct recovery. The 'pausa@bitmessage.ch' Ransomware is known to use the same encryption technologies as other successful Ransomware like Cerber and Dharma to name a few. The 'pausa@bitmessage.ch' Ransomware is programmed to run from the Temp folder under the AppData directory and apply a secure AES-256 cipher to documents, video, music, databases, and ebooks. Encoded data receives the '.PAUSA' extension and something like 'Hartmann-Save me.mp3' is renamed 'Hartmann-Save me.mp3.pausa.' The ransom notification is saved as '!!RESTORE!!!.txt' to the user's desktop and reads:

'All your important files were encrypted on this PC.
All files with .PAUSA extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email pausa@bitmessage.ch send us an email your !!!RESTORE!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[random characters]
E-mail address to contact us:
pausa@bitmessage.ch
Reserve e-mail address to contact us:
pausa@india.com'

We recommend you avoid negotiations with the threat actors via the 'pausa@bitmessage.ch' and the 'pausa@india.com' email accounts. It is safer to boot data backups and clean your system with the help of a reputable anti-malware tool. Even if you pay the absurd ransom of $600, there is no guarantee you will receive a decryptor. PC users are encouraged to make data backups at least two times a month and ignore spam messages that may lead to a security compromise. AV companies support detection rules for the 'pausa@bitmessage.ch' Ransomware, but there is no free decryptor available at the time of writing.

Update January 23th, 2019 — 'waiting@bitmessage.ch' Ransomware

The 'waiting@bitmessage.ch' Ransomware is an encryption Trojan that is based on the STOP Ransomware. The 'waiting@bitmessage.ch' Ransomware was reported by compromised users on April 18th, 2018 and it appears to invade computers via corrupted Microsoft Word documents. The 'waiting@bitmessage.ch' Ransomware is recorded to encrypt photos, audio, video, and text on the infected computers. Unfortunately, the malware authors added a command to delete the volume snapshots Windows makes to protect your data. The Trojan overwrites targeted data with files that carry the '.WAITING' extension and can't e opened with software on your system. For example, 'Hartmann-Like a River.mp3' is renamed to 'Hartmann-Like a River.mp3.waiting,' and a ransom message is dropped to your desktop. The 'waiting@bitmessage.ch' Ransomware writes '!!!INFO_RESTORE!!!.txt' to the desktop and shows the following text:

'All your important files were encrypted on this PC.
All files with .WAITING extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email waiting@bitmessage.ch send us an email your !!!INFO_RESTORE!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[random characters]
E-mail address to contact us:
waiting@bitmessage.ch
Reserve email address to contact us:
waiting@india.com'

The malware does not interfere with third-party backup tools, and you should be able to boot data backups. It is recommended to avoid interaction with the threat actors via the 'waiting@bitmessage.ch' and the 'waiting@india.com' email addresses. You may be interested in exploring file hosting services if you wish to protect your data backups against network transmitted cyber threats and most Ransomware variants like the 'waiting@bitmessage.ch' Ransomware.

STOP Ransomware in 2019 and Beyond

Later in 2019, the STOP ransomware was still being used and new attack vectors were being tested. The STOP ransomware started appearing in bundles containing other forms of malware, primarily adware, that you can find on websites claiming to host cracked executables for games and software. This way, many of the ransomware's new victims turned out to be hopeful software pirates looking who got more than they bargained for.

There has also been evidence that the STOP ransomware is installing password-stealer Trojans that are able to scrape various login credentials.

The ransomware also expanded the long list of encrypted file extensions it uses. Files encrypted by the STOP ransomware now received the .rumba and .tro extensions. Thus far, little else has changed - the ransom note was still found in a file named "_openme.txt", but the ransom sum was bumped up to $980, with a reduction to $490 if the victim pays within the first 72 hours following infection.

Do You Suspect Your PC May Be Infected with STOP Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like STOP Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Related Posts

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.