The STOP ransomware variants Djvu, Tro have been heavily distributed last month using adware installers. The new variant ‘Rumba’ has been spotted in the latest campaign distributed via adware bundles and software cracks.
In this new variant Rumba, the malware authors continue to use the same approach as DJVU variant. The only difference in this version is that the ransomware will append the .rumba extension to a file's name after it is encrypted.
Adware bundles and software cracks
The sites that distribute software cracks usually make use of adware bundles in order to generate revenue. These adware bundles primarily install adware, extensions, clickers, and miners. However, one adware bundler has started installing the STOP ransomware variants as well.
Once the ransomware is installed, it encrypts files with .rumba extension. In each folder that a file is encrypted, the ransomware will create a ransom note named ‘openme.txt’ that contains instructions on how to contact the attacker for payment instructions.
Some of the software cracks that are installing this ransomware include Windows activation cracks such as KMSPico, Cubase, Photoshop, antivirus software, and cracks for other popular software.
However, BleepingComputer stated that it is possible to recover the encrypted files for free using Michael Gillespie’s decryptor.