STOP Ransomware

The STOP Ransomware is a file-locking Trojan that can block your ability to open different media content, ranging from music to pictures to documents. Its attacks also include symptoms of visibility to the victim, but only after the occurrence of any damage. This threat is unlikely for having compatibility with a free decryption service, and users should allow their anti-malware programs to delete the STOP Ransomware beforehand whenever that option is available.

The Trojan Telling Your Files to Stop

The end of last year is offering up various Trojan campaigns that remain active in some form or another, such as the STOP Ransomware. This threat shows characteristics in line with basing itself on Ransomware-as-a-Service and being administrated by multiple teams of threat actors, even though malware experts have yet to confirm the original prices or authors of the STOP Ransomware. What's certain is that its attack campaign is updating itself over the last, few months, and is trying to block files for money.

The STOP Ransomware's encryption routine converts the work and recreational files of its victims, such as Adobe PDF documents or JPG pictures, into enciphered versions of themselves that require a specialized decryptor. Unfortunately, malware experts are classifying the STOP Ransomware's file-locking feature as being secure, thanks to the combination of the AES and RSA algorithms that it uses. Any files that the STOP Ransomware locks also acquire '.STOP' extensions for cosmetic purposes purely.

The second symptom of note in the STOP Ransomware is its ransoming message, which is a Notepad text file that's reminiscent of versions circulating in the Globe Ransomware and HiddenTeaar families. The e-mail contacts that the threat actors insert into these instructions differ between variants of the STOP Ransomware but always provide an ID number, a six hundred USD ransom demand, and an offer of decrypting three files as a demonstration of good intent. Any victims considering this option should note that nearly all threat actors specify a non-refundable pay mechanism.

Putting the Brakes on a Digital Stop Sign

While it's a likely candidate for being a variant of the Globe Ransomware, the STOP Ransomware's ancestry is still under the analysis of malware researchers, who only can confirm the above aspects of its payload. File-locking Trojans may compromise PCs through an e-mail-based infection method frequently. On the other hand, different cybercrooks also may bundle the STOP Ransomware into other downloads, circulate it on file-sharing networks, or configure website exploit kits to install it with their drive-by-downloads forcibly.

The AES and RSA encryptions are difficult to decode without any extraneous mistakes in the original data-encrypting program's code notably. Malware experts suggest keeping backups, especially ones on another device, for blocking any permanent loss of data ordinarily. Although Windows does keep default backup data for its system restoration features, threats like the STOP Ransomware usually delete these Shadow Volume Copies and restore points. A competent anti-malware program also may identify and remove the STOP Ransomware without the encryption attack ever happening.

The STOP Ransomware campaign is young, but productive and may grow larger, over time. PC owners should take note of this possibility and be careful particularly, whenever partaking in actions related to file-locking Trojan infections, such as opening a new e-mail attachment.

Update December 7th, 2018 — 'helpshadow@india.com' Ransomware

The 'helpshadow@india.com' Ransomware is a new variant based on the STOP Ransomware codebase. This file-locker has proven to be impossible to decipher, and its authors the only ones who can help recover the files of the 'helpshadow@india.com' Ransomware’s victims. Unfortunately, acquiring their services is not free since they require a significant amount of money in exchange for their decryption service. Needless to say, you should never agree to send money to anonymous cybercrooks because they might use the money to develop more threats. Furthermore, even if you meet all the demands of the 'helpshadow@india.com' Ransomware’s authors, you might still end up tricked.

The 'helpshadow@india.com' Ransomware will not just encrypt the files, but it also will do other harmful actions to reduce the victim’s chances of getting their files back. This file-locker may disable the Windows System Restore service automatically, and then delete the Shadow Volume Copies that a data recovery software might use to try and restore some of the locked files.

The victims of the 'helpshadow@india.com' Ransomware should be able to notice the encrypted files quickly because the file-locker will add the ‘.shadow’ extension to their names. In addition to these changes, the 'helpshadow@india.com' Ransomware also will drop a ransom note, which tells the users what they need to do if they wish to be able to access their files again. The instructions of the attackers are very clear – pay a ransom sum via Bitcoin and then contact 'helpshadow@india.com' or 'helpshadow@firemail.cc' for further information.

If you are a victim of the ‘helpshadow@india.com’ Ransomware, you should run a credible and updated anti-malware tool to help you get rid of the harmful files immediately. Unfortunately, the removal of the file-locker will solve only half of the problem, and you will still need to look into various data restoration methods – like recovering from a backup or using data recovery software.

Update December 13th, 2018 — ‘.djvu File Extension' Ransomware

The Djvu Ransomware is a file-locker Trojan from the STOP Ransomware family, which takes business and personal data hostage by encrypting it after compromising the PC. Probable sources of infection include spam e-mails, brute-force attacks, and other factors of relevance to server machines, such as open ports. Since there isn't a universal, free decryptor for this family, the victims require backups for recovering their media, although most anti-malware tools should delete the Djvu Ransomware and preempt any encryption.

A Trojan that's Nowhere Near Stopping

Belying its name, the STOP Ransomware is remaining active against the business sector and, presumably, other victims of convenience up into 2019. This small but still-growing family consists of members with both vulnerable and non-vulnerable methods of blocking the user's media, such as the '.PUMA File Extension' Ransomware, the INFOWAIT Ransomware, the KEYPASS Ransomware and the '.CONTACTUS File Extension' Ransomware. The latest variant, the Djvu Ransomware, is not susceptible to the usual decryption strategies, and malware experts can corroborate its distribution to the public at large.

The victims are receiving attacks through unidentifiable vectors, so far, although, traditionally, threat actors with this family prefer brute-forcing a server's login credentials or using other, commonplace tactics, such as spam e-mails. After its installation, the Djvu Ransomware runs a CBC mode of AES encryption for blocking all of the local images, text documents and other media. The Djvu Ransomware also uses a change of extension – as its name shows – to give these now-locked files a fake, new 'format' tag.

The Djvu Ransomware's ransom note, a Notepad file that the file-locker Trojan deposits on the desktop or a directory with the captive data, offers a 'half-price' cost for the threat actor's decryption help within three days. Since the Djvu Ransomware's encryption method, like that of most of the newer members of the STOP Ransomware's group, is secured with a secondary RSA key, users have limited possibilities for opening their files again without this help. However, the criminals are just as likely of taking the money and running, since preferred ransoming methods, like Bitcoins or Paysafecard vouchers, also impede the victim's refunding.

How Small-Time Trojans Make It Bi

Network administrators should strengthen their password and associated login credentials against brute-force attacks, which serve as a significant delivery method for both the STOP Ransomware and the Djvu Ransomware, as well as other families, such as Hidden Tear,the Globe Ransomware and the Scarab Ransomware. In cases of receiving suspicious e-mail messages, malware researchers also emphasize the dangers of corrupted documents, such as Adobe's PDFs or Word's DOCs. Updating the appropriate software, disabling macros, and scanning your files before you open them can provide some, additional protection.

Although some members of the cyber-security community provide tentative decryption or unlocking help for the Djvu Ransomware's family, the Djvu Ransomware's encryption is likely of being secure indefinitely. Users always should save at least one of their backups to another device that's secure from remote access and encryption. While most anti-malware applications should remove the Djvu Ransomware accurately, they can offer no extra help for unlocking or restoring files.

Ironically, the STOP Ransomware is starting strong for the new year, without any slowing of its distribution potential. If the Djvu Ransomware and similar variants stay in action, it may overtake larger families, becoming an epidemic that's most threatening to those with the most files to lose.

Update January 14th, 2019 - '.tfude File Extension' Ransomware

Malware researchers have identified the '.tfude File Extension' Ransomware as a slightly modified version of the infamous STOP Ransomware. The latter ransomware family has become rather popular in the past few months, and security researchers have had to handle at least a dozen different variants that use an identical file-encryption routine, but may often end up having a different contact and payment address. This version, in particular, uses the ‘.tfude’ extension to mark the files it locks and then drops the text-file ‘_openme.txt,’ which provides the victim with information about the attack, as well as with instructions on how to recover their data.

Unfortunately, the offer of the '.tfude File Extension' Ransomware’s operators is not an acceptable one – they demand to receive a hefty amount of money in exchange for the decryptor they claim to have. However, they do not provide any proof that they are able to restore the encrypted files, and we would not advise you to trust them blindly. The only useful piece of information that the '.tfude File Extension' Ransomware’s authors supply is the address pdfhelp@firemail.cc that can be used to get in touch with them.

The bad news is that recovering from the '.tfude File Extension' Ransomware’s attack without a backup of your files might not be an easy task. This file-locker has proven to be nearly impossible to decrypt, and its victims will not be able to rely on a free decryption software. This means that the only free and trustworthy way to get all of the locked files back is to restore their original copies from a recent data backup. Users without a backup of their files might want to look into alternative data recovery software, but they should know that this method might not yield satisfying results. Regardless of the data recovery technique you opt to use, you must remember to remove the '.tfude File Extension' Ransomware with the help of a trustworthy anti-virus application.

Update January 23th, 2019 — 'pausa@bitmessage.ch' Ransomware

The STOP Ransomware family has been very active in the first month of 2019, and malware researchers have already had to deal with several file-lockers that are based on STOP Ransomware's source code. The latest addition to this list is called the 'pausa@bitmessage.ch' Ransomware, and it has already managed to infect a dozen victims in different countries. File-lockers like this one are exceptionally dangerous because they have the ability to swiftly encrypt various file formats, therefore rendering their contents inaccessible. All files locked by the 'pausa@bitmessage.ch' Ransomware will have the '.PAUSA' extension to their name, therefore making it easier for both the victims and the attackers to recognize the modified files.

Of course, the operators of the 'pausa@bitmessage.ch' Ransomware are after the money of their victims, and this is why the attack will always end up with the creation of the ransom message ‘!!RESTORE!!!.txt.’ The contents of the file reveal that the ransom fee is set to $600, and the authors demand to receive the money via a Bitcoin transaction. Another vital piece of information are the addresses that can be used to contact the perpetrators – pausa@bitmessage.ch and pausa@india.com. Last but not least, victims should be able to recognize the locked files by the '.PAUSA' extension added after the original file extension (e.g. 'cv.pdf' would be renamed to 'cv.pdf.PAUSA.')

Unfortunately, recovering from the 'pausa@bitmessage.ch' Ransomware's attack is a tricky task, which might not always end well for the victim. Due to the lack of a free decryptor, the best bet of the 'pausa@bitmessage.ch' Ransomware's victims would be to rely on data recovery software, but this might not always prove to be an easy task. Some file recovery tools might achieve partial success, but they are not a guaranteed recovery method, so victims might end losing some of their files. The only surefire way to achieve a full recovery is to get the original copies of the files from a recent backup.

Update January 23th, 2019 — 'waiting@bitmessage.ch' Ransomware

The 'waiting@bitmessage.ch' Ransomware is a modified version of the STOP Ransomware, which uses the same file-encryption method as all other members of this ransomware family. The bad news is that the STOP Ransomware is not decryptable, and it would be impossible for its victims to get their files back for free. However, the paid recovery option that the 'waiting@bitmessage.ch' Ransomware's authors offer is also not something you should consider – it would be very easy for the attackers to steal your money without providing you with anything in return.

The file that brings the 'waiting@bitmessage.ch' Ransomware’s harmful components might reach users with the help of fraudulent email messages whose design and contents are crafted so that they look as if they were sent by a legitimate organization, company or institution. If the recipient makes the mistake to initialize the harmful file on their computer, they may unknowingly set off 'waiting@bitmessage.ch' Ransomware's attack and allow this file-locker to encrypt the contents of their important files. The 'waiting@bitmessage.ch' Ransomware is meant to lock documents, text files, images, videos, music, archives, and other file formats. Every encrypted file will have its name changed by adding the '.WAITING' extension (e.g. 'document.xlsx' will be renamed to 'document.xlsx.WAITING.')

After the file-encryption stage of the attack is complete, the 'waiting@bitmessage.ch' Ransomware may proceed with the last step whose purpose is to supply the victim with file decryption instructions and contact details that can be used to reach the attackers. The full ransom note of the perpetrators is found in '!!!INFO_RESTORE!!!.txt' – the contents of the file reveal that the ransom payment is set to $600 and that the attackers use the addresses waiting@india.com and waiting@bitmessage.ch.

Trusting the attackers' promise to restore your files when they receive the money is not recommended due to the obvious lack of proof that they have the tools required to unlock your files. Even if they prove that the decryption can be completed successfully, it still would not be a surprise if the attackers extort you for money when you send them the first payment. Instead of trying to co-operate with ransomware operators, victims of the 'waiting@bitmessage.ch' Ransomware should immediately use a trustworthy antivirus scanner to eradicate the harmful program.