A detailed insight into STOP ransomware that continues to claim more victims

• The malware is widely used to target both consumers and enterprises.
• The ransomware is primarily distributed through crack sites bundled with adware installers.

The infamous STOP ransomware along with its variants have been spotted in the wild recently. The ransomware, although highlighted lately, is continuously making an impact in the cyberspace. The malware is widely used to target both consumers and enterprises.

Propagation method and operation

The ransomware is primarily distributed through crack sites bundled with adware installers. This adware is commonly found on websites hosting warez and software licensing cracks.

Once installed, STOP quickly encrypts all of the user’s documents and appends them with extensions such as .djvu, .tro or .rumba. Once appended, these files become completely inaccessible.

In addition to encrypting the files, the malware also creates a text file (called _openme.txt) in each affected folder, explaining on how to unlock them. The text file leaves a note for the victim, asking for a ransom of up to $980 to unlock the files. If the user pays within 72 hours of infection, then the cost is reduced to $490.

The text file also contains the contact details of the hackers with whom the user has to contact. The hackers claim to give the decryption key in exchange for the ransom amount.

Variants

Rumba is the latest variant of the STOP ransomware. It is distributed in a similar manner as the original malware is propagated. It uses adware bundles and software cracks for distribution.

Once installed, the ransomware encrypts the files on the targeted system and appends them with .rumba extension. It also leaves behind a note named _openme.txt in each folder which has been encrypted.

Djvu is another variant of STOP ransomware that keeps updating itself by presenting new file extensions appended to the encrypted data. It uses .djvus, .tfude, .adobe etc to append the encrypted files. After infecting, the ransomware heavily modifies Windows settings, locks up files by adding an appendix. It then drops a ransom note, explaining the victim on how to contact the cybercriminals. It also includes the details of the payment process. The ransomware uses RSA encryption algorithm for encrypting files.

Preventing STOP ransomware

Install anti-malware protection to block STOP and other ransomware.Avoid using warez and crack websites to download software as hackers use these websites to inject the malware. Always take regular backups of your files. This helps you in restoring your computers in case of data loss.