Users are afraid to talk about the “STOP” — one of the most active ransomwares of this year

The Bleeping Computer publication drew attention to the STOP ransomware, which according to the ID Ransomware service, created by the famous information security expert Michael Gillespie, is one of the most active threats this year, along with Ryuk, GandCrab and Sodinkibi.

The prevalence of STOP is also confirmed by the extremely active forum Bleeping Computer, where victims seek help. However, they almost never talk or write about this encryptor. The fact is that this malware attacks mainly fans of pirated content and visitors of suspicious sites.

“In order to distribute STOP, the ransomware developers have teamed up with shady sites and adware bundles. These sites promote fake software cracks or free programs, which are really adware bundles that install a variety of unwanted software and malware onto a user’s computer”, — reports Michael Gillespie.

Ransomware ID is reported to receive approximately 2,500 ransomware attacks per day. About 60-70% of them are messages about STOP ransomware attacks, which leaves other ransomware far behind.

For distribution of STOP mainly used advertising bundles and suspicious sites. These resources are advertised by fake cracks and activators (for example, for KMSPico, Cubase, Photoshop or antiviruses) and free software, which is actually bundles of advertising that install various unwanted programs and malware on users’ machines. One such malware is STOP. Also in such bundles, for example, the Azorult Trojan is found.

Gillespie and Bleeping Computer experts note that the encryptor itself operates according to the classical scheme: it encrypts files, adds a new extension to them and places a ransom note on the infected machine (the malware requires $490, but the amount doubles in 72 hours to $980). However, to date, there are more than 159 STOP options that are known to researchers, and such a variety significantly complicates the situation.

Therefore, Gillespie made some progress in helping crypto victims recover files, and created the STOPDecryptor tool, which includes offline decryption keys used by the ransomware when it cannot contact the management server. The specialist also managed to help a number of users whose machines were encrypted using unique keys.

However, helping victims turned out to be a difficult task: sometimes ransomware authors released 3-4 versions a day, and thousands of people needed help at the same time. In addition, as a result, STOP encryption has changed, and Gillespie can no longer offer assistance to all victims.

Read also: Nemty ransomware developers continue to improve their malware

As a result, the help thread on the Bleeping Computer forum already has over 500 pages, and desperate users regularly ask Gillespie for help on social networks. Almost any tweet from the security researchers instantly received avalanche of pleas for help in decrypting files after a STOP attack.

Though some may say that victims created these problems themselves because they downloaded cracks, it is important to remember that we never want to let the ransomware developers generate ransom payments, as it only leads to more ransomware being created.