STOP-roland Ransomware

The STOP-roland Ransomware is a modified version of the STOP Djvu Ransomware. Analysis proved that the STOP-roland Ransomware is a slightly altered copy of the STOP Djvu Ransomware, which is itself based on the STOP Ransomware. The new version appeared on April 2nd, 2019. Computer security researchers reported that the only major change in the STOP-roland Ransomware compared to earlier versions is that the Trojan appends the '.roland' extension to the filenames. For example, 'Ubatuba municipality.docx' is renamed to 'Ubatuba municipality.docx.roland' and a ransom note titled '_openme.txt' is dropped to the user's screen.

The attack pattern remains the same — PC users receive spam messages that claim to come from reputable Internet service and are directed to open an attached file. As you may guess, the file is a downloader agent that downloads the Trojan and executes the program with elevated privileges. Researchers add that the STOP-roland Ransomware may use PowerShell commands to disable the Windows Defender tool and related security features on Windows. The threat actors behind the STOP-roland Ransomware might use filenames like 'updatewin.exe' to disable the user's protection and then load files like 'DD98.TMP.EXE' to handle the encryption process. The STOP-roland Ransomware is observed to overwrite targeted resources like photos, documents, eBook libraries, databases, audio and video records, as well as purge the Shadow Volume snapshots produced by this Window’s service. Using OneDrive on Windows 10 to protect your files might be a good idea, but you should make sure you sync the folders manually as you may lose those copies too. The ransom note is presented as '_openme.txt' and may suggest users contact an account @firemail.cc and @india.com fast before the requested ransom is increased by 50%.

It is a common practice among ransomware actors to threaten users with increased ransom if they don't pay up soon. However, we recommend users remain stoic and seek help from a computer technician or, depending on your knowledge of Windows, attempt data recovery using disk images and other forms of data backup. Paying money to the threat actors is not guaranteed to secure you a decryptor. Taking proactive measures will make you invulnerable to the STOP-roland Ransomware and similar Trojans. Remember to back up your data weekly and follow safe Internet guidelines.

Detection names for the STOP-roland Ransomware:

Generic.mg.f7a33a24a3260120
Ransom.Win32.STOP.THDOCAI
Trojan ( 0054afc31 )
Trojan-PSW.Win32.Coins.qzv
Trojan.Generic.D274359A
Trojan.GenericKD.41170330
Trojan.Ransom.Stop
W32/Kryptik.GROD!tr
Win32.Packed.Kryptik.W50RU8
Win32.Trojan-qqpass.Qqrob.Eeqt
malicious.4a3260