Home Malware Programs Ransomware STOP Ransomware

STOP Ransomware

Posted: February 26, 2018

Threat Metric

Threat Level: 5/10
Infected PCs: 91
First Seen: August 26, 2024
OS(es) Affected: Windows

The STOP Ransomware is a file-locking Trojan that can block your ability to open different media content, ranging from music to pictures to documents. Its attacks also include symptoms of visibility to the victim, but only after the occurrence of any damage. This threat is unlikely for having compatibility with a free decryption service, and users should allow their anti-malware programs to delete the STOP Ransomware beforehand whenever that option is available.

The Trojan Telling Your Files to Stop

The end of last year is offering up various Trojan campaigns that remain active in some form or another, such as the STOP Ransomware. This threat shows characteristics in line with basing itself on Ransomware-as-a-Service and being administrated by multiple teams of threat actors, even though malware experts have yet to confirm the original prices or authors of the STOP Ransomware. What's certain is that its attack campaign is updating itself over the last, few months, and is trying to block files for money.

The STOP Ransomware's encryption routine converts the work and recreational files of its victims, such as Adobe PDF documents or JPG pictures, into enciphered versions of themselves that require a specialized decryptor. Unfortunately, malware experts are classifying the STOP Ransomware's file-locking feature as being secure, thanks to the combination of the AES and RSA algorithms that it uses. Any files that the STOP Ransomware locks also acquire '.STOP' extensions for cosmetic purposes purely.

The second symptom of note in the STOP Ransomware is its ransoming message, which is a Notepad text file that's reminiscent of versions circulating in the Globe Ransomware and HiddenTeaar families. The e-mail contacts that the threat actors insert into these instructions differ between variants of the STOP Ransomware but always provide an ID number, a six hundred USD ransom demand, and an offer of decrypting three files as a demonstration of good intent. Any victims considering this option should note that nearly all threat actors specify a non-refundable pay mechanism.

Putting the Brakes on a Digital Stop Sign

While it's a likely candidate for being a variant of the Globe Ransomware, the STOP Ransomware's ancestry is still under the analysis of malware researchers, who only can confirm the above aspects of its payload. File-locking Trojans may compromise PCs through an e-mail-based infection method frequently. On the other hand, different cybercrooks also may bundle the STOP Ransomware into other downloads, circulate it on file-sharing networks, or configure website exploit kits to install it with their drive-by-downloads forcibly.

The AES and RSA encryptions are difficult to decode without any extraneous mistakes in the original data-encrypting program's code notably. Malware experts suggest keeping backups, especially ones on another device, for blocking any permanent loss of data ordinarily. Although Windows does keep default backup data for its system restoration features, threats like the STOP Ransomware usually delete these Shadow Volume Copies and restore points. A competent anti-malware program also may identify and remove the STOP Ransomware without the encryption attack ever happening.

The STOP Ransomware campaign is young, but productive and may grow larger, over time. PC owners should take note of this possibility and be careful particularly, whenever partaking in actions related to file-locking Trojan infections, such as opening a new e-mail attachment.

Update December 7th, 2018 — 'helpshadow@india.com' Ransomware

The 'helpshadow@india.com' Ransomware is a new variant based on the STOP Ransomware codebase. This file-locker has proven to be impossible to decipher, and its authors the only ones who can help recover the files of the 'helpshadow@india.com' Ransomware’s victims. Unfortunately, acquiring their services is not free since they require a significant amount of money in exchange for their decryption service. Needless to say, you should never agree to send money to anonymous cybercrooks because they might use the money to develop more threats. Furthermore, even if you meet all the demands of the 'helpshadow@india.com' Ransomware’s authors, you might still end up tricked.

The 'helpshadow@india.com' Ransomware will not just encrypt the files, but it also will do other harmful actions to reduce the victim’s chances of getting their files back. This file-locker may disable the Windows System Restore service automatically, and then delete the Shadow Volume Copies that a data recovery software might use to try and restore some of the locked files.

The victims of the 'helpshadow@india.com' Ransomware should be able to notice the encrypted files quickly because the file-locker will add the ‘.shadow’ extension to their names. In addition to these changes, the 'helpshadow@india.com' Ransomware also will drop a ransom note, which tells the users what they need to do if they wish to be able to access their files again. The instructions of the attackers are very clear – pay a ransom sum via Bitcoin and then contact 'helpshadow@india.com' or 'helpshadow@firemail.cc' for further information.

If you are a victim of the ‘helpshadow@india.com’ Ransomware, you should run a credible and updated anti-malware tool to help you get rid of the harmful files immediately. Unfortunately, the removal of the file-locker will solve only half of the problem, and you will still need to look into various data restoration methods – like recovering from a backup or using data recovery software.

Update December 13th, 2018 — ‘.djvu File Extension' Ransomware

The Djvu Ransomware is a file-locker Trojan from the STOP Ransomware family, which takes business and personal data hostage by encrypting it after compromising the PC. Probable sources of infection include spam e-mails, brute-force attacks, and other factors of relevance to server machines, such as open ports. Since there isn't a universal, free decryptor for this family, the victims require backups for recovering their media, although most anti-malware tools should delete the Djvu Ransomware and preempt any encryption.

A Trojan that's Nowhere Near Stopping

Belying its name, the STOP Ransomware is remaining active against the business sector and, presumably, other victims of convenience up into 2019. This small but still-growing family consists of members with both vulnerable and non-vulnerable methods of blocking the user's media, such as the '.PUMA File Extension' Ransomware, the INFOWAIT Ransomware, the KEYPASS Ransomware and the '.CONTACTUS File Extension' Ransomware. The latest variant, the Djvu Ransomware, is not susceptible to the usual decryption strategies, and malware experts can corroborate its distribution to the public at large.

The victims are receiving attacks through unidentifiable vectors, so far, although, traditionally, threat actors with this family prefer brute-forcing a server's login credentials or using other, commonplace tactics, such as spam e-mails. After its installation, the Djvu Ransomware runs a CBC mode of AES encryption for blocking all of the local images, text documents and other media. The Djvu Ransomware also uses a change of extension – as its name shows – to give these now-locked files a fake, new 'format' tag.

The Djvu Ransomware's ransom note, a Notepad file that the file-locker Trojan deposits on the desktop or a directory with the captive data, offers a 'half-price' cost for the threat actor's decryption help within three days. Since the Djvu Ransomware's encryption method, like that of most of the newer members of the STOP Ransomware's group, is secured with a secondary RSA key, users have limited possibilities for opening their files again without this help. However, the criminals are just as likely of taking the money and running, since preferred ransoming methods, like Bitcoins or Paysafecard vouchers, also impede the victim's refunding.

How Small-Time Trojans Make It Bi

Network administrators should strengthen their password and associated login credentials against brute-force attacks, which serve as a significant delivery method for both the STOP Ransomware and the Djvu Ransomware, as well as other families, such as Hidden Tear,the Globe Ransomware and the Scarab Ransomware. In cases of receiving suspicious e-mail messages, malware researchers also emphasize the dangers of corrupted documents, such as Adobe's PDFs or Word's DOCs. Updating the appropriate software, disabling macros, and scanning your files before you open them can provide some, additional protection.

Although some members of the cyber-security community provide tentative decryption or unlocking help for the Djvu Ransomware's family, the Djvu Ransomware's encryption is likely of being secure indefinitely. Users always should save at least one of their backups to another device that's secure from remote access and encryption. While most anti-malware applications should remove the Djvu Ransomware accurately, they can offer no extra help for unlocking or restoring files.

Ironically, the STOP Ransomware is starting strong for the new year, without any slowing of its distribution potential. If the Djvu Ransomware and similar variants stay in action, it may overtake larger families, becoming an epidemic that's most threatening to those with the most files to lose.

Update January 14th, 2019 - '.tfude File Extension' Ransomware

Malware researchers have identified the '.tfude File Extension' Ransomware as a slightly modified version of the infamous STOP Ransomware. The latter ransomware family has become rather popular in the past few months, and security researchers have had to handle at least a dozen different variants that use an identical file-encryption routine, but may often end up having a different contact and payment address. This version, in particular, uses the ‘.tfude’ extension to mark the files it locks and then drops the text-file ‘_openme.txt,’ which provides the victim with information about the attack, as well as with instructions on how to recover their data.

Unfortunately, the offer of the '.tfude File Extension' Ransomware’s operators is not an acceptable one – they demand to receive a hefty amount of money in exchange for the decryptor they claim to have. However, they do not provide any proof that they are able to restore the encrypted files, and we would not advise you to trust them blindly. The only useful piece of information that the '.tfude File Extension' Ransomware’s authors supply is the address pdfhelp@firemail.cc that can be used to get in touch with them.

The bad news is that recovering from the '.tfude File Extension' Ransomware’s attack without a backup of your files might not be an easy task. This file-locker has proven to be nearly impossible to decrypt, and its victims will not be able to rely on a free decryption software. This means that the only free and trustworthy way to get all of the locked files back is to restore their original copies from a recent data backup. Users without a backup of their files might want to look into alternative data recovery software, but they should know that this method might not yield satisfying results. Regardless of the data recovery technique you opt to use, you must remember to remove the '.tfude File Extension' Ransomware with the help of a trustworthy anti-virus application.

Update January 23th, 2019 — 'pausa@bitmessage.ch' Ransomware

The STOP Ransomware family has been very active in the first month of 2019, and malware researchers have already had to deal with several file-lockers that are based on STOP Ransomware's source code. The latest addition to this list is called the 'pausa@bitmessage.ch' Ransomware, and it has already managed to infect a dozen victims in different countries. File-lockers like this one are exceptionally dangerous because they have the ability to swiftly encrypt various file formats, therefore rendering their contents inaccessible. All files locked by the 'pausa@bitmessage.ch' Ransomware will have the '.PAUSA' extension to their name, therefore making it easier for both the victims and the attackers to recognize the modified files.

Of course, the operators of the 'pausa@bitmessage.ch' Ransomware are after the money of their victims, and this is why the attack will always end up with the creation of the ransom message ‘!!RESTORE!!!.txt.’ The contents of the file reveal that the ransom fee is set to $600, and the authors demand to receive the money via a Bitcoin transaction. Another vital piece of information are the addresses that can be used to contact the perpetrators – pausa@bitmessage.ch and pausa@india.com. Last but not least, victims should be able to recognize the locked files by the '.PAUSA' extension added after the original file extension (e.g. 'cv.pdf' would be renamed to 'cv.pdf.PAUSA.')

Unfortunately, recovering from the 'pausa@bitmessage.ch' Ransomware's attack is a tricky task, which might not always end well for the victim. Due to the lack of a free decryptor, the best bet of the 'pausa@bitmessage.ch' Ransomware's victims would be to rely on data recovery software, but this might not always prove to be an easy task. Some file recovery tools might achieve partial success, but they are not a guaranteed recovery method, so victims might end losing some of their files. The only surefire way to achieve a full recovery is to get the original copies of the files from a recent backup.

Update January 23th, 2019 — 'waiting@bitmessage.ch' Ransomware

The 'waiting@bitmessage.ch' Ransomware is a modified version of the STOP Ransomware, which uses the same file-encryption method as all other members of this ransomware family. The bad news is that the STOP Ransomware is not decryptable, and it would be impossible for its victims to get their files back for free. However, the paid recovery option that the 'waiting@bitmessage.ch' Ransomware's authors offer is also not something you should consider – it would be very easy for the attackers to steal your money without providing you with anything in return.

The file that brings the 'waiting@bitmessage.ch' Ransomware’s harmful components might reach users with the help of fraudulent email messages whose design and contents are crafted so that they look as if they were sent by a legitimate organization, company or institution. If the recipient makes the mistake to initialize the harmful file on their computer, they may unknowingly set off 'waiting@bitmessage.ch' Ransomware's attack and allow this file-locker to encrypt the contents of their important files. The 'waiting@bitmessage.ch' Ransomware is meant to lock documents, text files, images, videos, music, archives, and other file formats. Every encrypted file will have its name changed by adding the '.WAITING' extension (e.g. 'document.xlsx' will be renamed to 'document.xlsx.WAITING.')

After the file-encryption stage of the attack is complete, the 'waiting@bitmessage.ch' Ransomware may proceed with the last step whose purpose is to supply the victim with file decryption instructions and contact details that can be used to reach the attackers. The full ransom note of the perpetrators is found in '!!!INFO_RESTORE!!!.txt' – the contents of the file reveal that the ransom payment is set to $600 and that the attackers use the addresses waiting@india.com and waiting@bitmessage.ch.

Trusting the attackers' promise to restore your files when they receive the money is not recommended due to the obvious lack of proof that they have the tools required to unlock your files. Even if they prove that the decryption can be completed successfully, it still would not be a surprise if the attackers extort you for money when you send them the first payment. Instead of trying to co-operate with ransomware operators, victims of the 'waiting@bitmessage.ch' Ransomware should immediately use a trustworthy antivirus scanner to eradicate the harmful program.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to STOP Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts

SpyHunter Free Trial: Important Terms & Conditions

The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac, offering comprehensive malware detection and removal functionality, high-performance guards to actively protect your system from malware threats, and access to our technical support team via the SpyHunter HelpDesk (or the number of devices set forth in the promotional materials/purchase page). You will not be charged upfront during the Trial period, although a credit card is required to activate the Trial. (Prepaid credit cards, debit cards, and gift cards are not accepted under this offer.) The requirement for your payment method is to help ensure continuous, uninterrupted security protection during your transition from a Trial to a paid subscription should you decide to purchase. Your payment method will not be charged a payment amount upfront during the Trial, although authorization requests may be sent to your financial institution to verify that your payment method is valid (such authorization submissions are not requests for charges or fees by EnigmaSoft but, depending upon your payment method and/or your financial institution, may reflect on your account availability). You can cancel your Trial by contacting EnigmaSoft no later than two business days before the 7-day Trial period expires to avoid a charge coming due and being processed immediately after your Trial expires. If you decide to cancel during your Trial, you will immediately lose access to SpyHunter. If, for any reason, you believe a charge was processed that you did not wish to make (which could occur based on system administration, for example), you may also cancel and receive a full refund for the charge any time within 30 days of the date of the purchase charge. See FAQs.

At the end of the Trial, you will be billed upfront immediately at the price and for the subscription period as set forth in the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details) if you have not timely canceled. Pricing typically starts at $72 for 3 months (SpyHunter Pro Windows) and $42 for 3 months (SpyHunter for Mac). Your purchased subscription will be automatically renewed in accordance with the registration/purchase page terms, which provide for automatic renewals at the then applicable standard subscription fee in effect at the time of your original purchase and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user. Please see the purchase page for details. Trial subject to these Terms, your agreement to EULA/TOS, Privacy/Cookie Policy, and Discount Terms. If you wish to uninstall SpyHunter, learn how.

For payment on the automatic renewal of your subscription, an email reminder will be sent to the email address you provided when you registered before each payment date. At the onset of your trial, you will receive an activation code that is limited to use for only one Trial and for only one device per account. Your subscription will automatically renew at the price and for the subscription period in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details), provided that you are a continuous, uninterrupted subscription user. For paid subscription users, if you cancel, you will continue to have access to your product(s) until the end of your paid subscription period. If you wish to receive a refund for your then current subscription period, you must cancel and apply for a refund within 30 days of your most recent purchase, and you will immediately stop receiving full functionality when your refund is processed.

For CALIFORNIA CONSUMERS, please see the notice provisions:

NOTICE TO CALIFORNIA CONSUMERS: Per the California Automatic Renewal Law, you may cancel a subscription as follows:

  1. Go to www.enigmasoftware.com and click the "Login" button at the top right corner.
  2. Log in with your username and password.
  3. In the navigation menu, go to "Order/Licenses." Next to your order/license, a button is available to cancel your subscription if applicable. Note: If you have multiple orders/products, you will need to cancel them on an individual basis.

Should you have any questions or problems, you can contact our EnigmaSoft support team by phone at +1 (888) 360-0646 (USA Toll-Free) / +353 76 680 3523 (Ireland/International) or by email at support@enigmasoftware.com.

How do you cancel a SpyHunter Trial? Users should contact EnigmaSoft Limited directly to cancel a SpyHunter Trial. Users can contact our technical support team by emailing support@enigmasoftware.com, opening a ticket in the SpyHunter HelpDesk, or calling +1 (888) 360-0646 (USA) / +353 76 680 3523 (Ireland/International). You can access the SpyHunter HelpDesk from SpyHunter's main screen. To open a support ticket, click on the "HelpDesk" icon. In the window that appears, click the "New Ticket" tab. Fill out the form and click the "Submit" button. If you are unsure of what "Problem Type" to select, please choose the "General Questions" option. Our support agents will promptly process your request and respond to you.

------

SpyHunter Purchase Details

You also have the choice of subscribing to SpyHunter immediately for full functionality, including malware removal and access to our support department via our HelpDesk, typically starting at $42 for 3 months (SpyHunter Basic Windows) and $42 for 3 months (SpyHunter for Mac) in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details). Your subscription will automatically renew at the then applicable standard subscription fee in effect at the time of your original purchase subscription and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user and for which you will receive a notice of upcoming charges before the expiration of your subscription. Purchase of SpyHunter is subject to the terms and conditions on the purchase page, EULA/TOS, Privacy/Cookie Policy and Discount Terms.

------

General Terms

Any purchase for SpyHunter under a discounted price is valid for the offered discounted subscription term. After that, the then applicable standard pricing will apply for automatic renewals and/or future purchases. Pricing is subject to change, although we will notify you in advance of price changes.

All SpyHunter versions are subject to your agreeing to our EULA/TOS, Privacy/Cookie Policy, and Discount Terms. Please also see our FAQs and Threat Assessment Criteria. If you wish to uninstall SpyHunter, learn how.

Spywareremove.com uses cookies to provide you with a better browsing experience and analyze how users navigate and utilize the Site. By using this Site or clicking on "OK", you consent to the use of cookies. Learn more.