Please ensure Javascript is enabled for purposes of website accessibility
+30 2106897383 info@tictaclabs.com

When STOP is DeJa VU!

Who is STOP ransomware?

STOP is the most popular ransomware since Dharma. Indeed, a malware researcher Michael Gillespie discovered it. Its first appearance was in December 2017. Although the exact number of STOP victims is unclear, some 116,000 cases of infection have been reported. Most victims are from Europe, Asia, South America and and Africa. Much less victims are in the US, and there are no victims at all in Russia.

The average ransom demand for STOP is from $300 up to $600. Attackers accept the ransom in BTC or vua PAYPAL payment but with an extra 10% charge. This amount coulb be double if the victim pays after 72 hours. However, it has been observed that this amount varies because STOP is used by many different individuals and groups.

Initially, the creators of STOP-djvu focused on continuous change of payloads and extensions. In particular, authors initially believed in symmetrical cryptography, hoping for getting ransom from most cases. However, free decryptors forced them to turn to asymmetric cryptography so that decryption of new variants would be more difficult. Also, attacks through broken software proved to be an effective means of invasion for this ransomware.

STOP Profile

Appearances by name STOP Virus / STOP Ransomware/ STOP Djvu
Level of Danger Very High. Advanced Ransomware which makes system changes and encrypts files
Threat Type Ransomware, Crypto Virus, Files locker
Symptoms
  • Can’t open files
  • Previously functional files now have a different extension
  • A ransom demanding message is displayed on your desktop
Distribution methods
  • Infected email attachments
  • Torrent websites
  • Malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom
OS affected Microsoft Windows
Release date December, 2017
File extensions .coharos, .shariz, .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm .rote, .hets, .msop, .zobm, .rote, .kodg, .mbed, .grod, .peet, .lokf, .mosk, .toec, .nakw, .derp, .stop, .coot, .SUSPENDED, .WAITING, .DATASTOP, .PAUSA
Types of Ransom notes !!RestoreProcess!!!.txt,  !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!SAVE_FILES_INFO!!!.txt,  !readme.txt, !!!DECRYPTION__KEYPASS__INFO!!!.txt,_openme.txt, _open_.txt, !!! YourDataRestore !!! txt,
High appearance of the following Contact email address decryption@bitmessage.ch, gorentos@bitmessage.ch, gorentoshelp@firemail.cc, helpshadow@firemail.cc, helpshadow@india.com, pausa@bitmessage.ch, waiting@bitmessage.ch, gorentos2@firewall.cc, restoredjvu@firemail.cc, pdfhelp@india.com, salesrestoresoftware@firemail.cc, salesrestoresoftware@gmail.com, restorefiles@firemail.cc, datarestorehelp@firemail.cc, datahelp@iran.ir, stopfilesrestore@bitmessage.ch, topfilesrestore@india.com, suspendedfiles@bitmessage.ch, suspendedfiles@india.com, keypassdecrypt@india.com

How does the ransom note appear?

The ransom note is displayed in text format. The attacker informs that he has encrypted all major computer files and renamed them with different extensions. He also notifies the victim that encryption was possible via a unique private key RSA-1024 created for this particular computer. Moreover, it is clear that in order to be able to decrypt the files, the victim will have to obtain the appropriate decryption software, accompanied by the relevant key. The attacker, then, informs the victim that in order to obtain a decryptor he will have to contact a related e-mail. Via this mail, the victin shall send one to three encrypted file models to make sure it is possible to decryption.

Indeed, STOP identifies with Dangerous, GenoCheats, File-Locker and dozens of other ransomware viruses because everyone encrypts data and asks for ransom. The difference lies in the height of the ransom , but also in the algorithm of encryption used by the attackers.

STOP Variants

The DJVU is one of the most widespread variant of STOP ransomware family for 2019/2020. It has attacked more than half a million victims worldwide. Furthermore, the malicious virus was distributed mainly using malicious keys, broken software and tools such as KMSPico. Malicious payload was strategically hidden in these popular but illegal files used to activate malicious software.

Also, Kolz is a ransomware strain that is part of the STOP Djvu ransomware family. This has been active since at least December 2017, when the first variant was detected. As of September 2020, 160 variants of Djvu ransomware have been released, if not more.

Although, as mentioned above, the confirmed victims reach 116,000, they are actually reported to reach 460,000. In fact, more than half of ransomware attacks from around the world consist of a form of Djvu. Executives from the STOP Djvu family run in RSA-1024 encryption, an asymmetric encryption algorithm that produces both public and private keys for each victim. While the former facilitates encryption, the latter is created for decryption purposes. This method of operation also applies Kolz ransomware.

How do I understand that I’ve been offended by stop ransomware?

There are various indications that you are infected with STOP Ransomware:

  • You can’t find your wallpaper
  • CPU use will be high or 100%, although you do not use your computer
  • Use of hard disk can also be high even when there is no access to files
  • The overall performance of your computer will be reduced
  • Your antivirus software does not appear active or does not start

How does STOP act?

STOP uses encryption and adds one of more than 20 different extensions to infected files. During encryption, almost all your computer files will be encrypted.

In particular, STOP ransomware secretly infiltrates a system to encrypt stored data using RSA-1024 encryption. It is an asymmetric encryption algorithm that creates public and private keys unique to each victim. The encrypted files are then extended. STOP can use other extensions depending on its variant. Such may be:”.promorad”, “.promock”, “.promok”, “.promoz”, “.promos”, “.PAUSA”, “.CONTACTUS”.

As with other ransomware, STOP avoids attacking and encrypting files in certain specific countries. Here, the creators of STOP did not rely on legacy techniques, as there may be a possibility of error. They preferred to receive information on the location and time zone of the potential victim’s system through “https [: ]//api.2ip.ua/geo.json

Type of Encryption

Furthermore, STOP encryption includes two types of encryption:

  • Encryption with Online Key
  • Encryption with Offline Key

If you have been attacked by this ransomware since August 2019, you should determine whether the online or offline key was used to lock your files. The updated ransomware encrypts files using online keys (different for each victim) if it is able to connect to the command & control server during the attack. Otherwise, it uses an off-line key, which is the same for all victims of a ransomware variant (with the same extension).

If an off-line key has been used, you are likely to restore the data now or in the near future. Unfortunately, we cannot say the same about the victims affected by the online keys.

What after encryption?

Once the encryption process has been completed, a file titled “!!!!!! YourDataRestore!!!.txt” file. Indeed, this file informs victims of the current situation, while also giving instructions on the procedure until complete decryption of the files.

Attackers ask for ransom to decrypt files. Unfortunately, the victim has to pay to buy the decryption software and the necessary key.

Initially, according to the instructions, the victim can, when contacting the criminal, send him up to three encrypted files to be decrypted free of charge. This provides a guarantee from the attacker that he can restore the victim’s records.

However, Tictac‘s experience shows that even the payment of ransom does not guarantee that the attacker will proceed with sending the necessary decryption tool and key.

To sum up, this ransomware is distributed by adware bundles disguised as broken software, warez and free software downloads. When the user downloads these, the computer will be contaminated with malicious extensions. Indeed, STOP Ransomware has become one of the most common types of malware affecting Windows. In particular, when these broken files are installed, the principal installer will be installed as% LocalAppData %\[ guid ]\[ radom] .exe and executed. This program is the main component of ransomware and first you will download the following files in the same folder:

  • %LocalAppData%\[guid]\1.exe
  • %LocalAppData%\[guid]\2.exe
  • %LocalAppData%\[guid]\3.exe
  • %LocalAppData%\[guid]\updatewin.exe

How do I restore the encrypted files?

In October 2019, a decryption for STOP Djvu ransomware was released for 148 of the known variants. However, this tool is effective for infections that occurred until August 2019. Therefore, for the variants that later appeared there is no free decryption.

Extensions able to decrypt

In particular, the list of extensions supported by Emisoft’s decryptor is as follows:

.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .peet, .mbed, .kodg, .zobm, .msop, .hets, .mkos, .nbes, .reha, .topi, .repp, .alka, .nppp, .npsk, .mado, .opqz, .mado, .covm, .usam, .vawe, .maas, .nile, .geno

If the infection is visible through extensions .puma, .pumas, or .pumax of the early STOP, then you should bypass the following steps and take the STOP decryption tool.

Watch the following video with extensive info about decryption procedure.

Updated list of STOP extensions

In February 2019, it was found that attackers appeared with new updated versions of STOP using different file extensions during encryption. In particular, some such extensions are the following:

In June 2020, security researchers discovered that a program pretending to be a ransomware decryptor for Kolz was actually a fake software that provided a ransomware strain known as Zorab.

Therefore, you should contact Tictac experts on cyber security issues, so that you can recover your encrypted files. Our company has the necessary experience to identify the situation and deal with it appropriately, depending on the data.

How can I protect myself?

The key to avoiding ransomware invasion is precautionary measures. Therefore, a lot of attention is needed when browsing the Internet. The endpoint user should be particularly careful with attachments received from suspicious e-mail addresses.

The endpoint user should also download updates and applications from official sources from a direct link rather than a torrent. In any case, the anti-virus program and all applications and software should be updated.

How can I remove STOP from my computer?

The victim can clear his computer from STOP manually.

However, this is a complex and time-consuming process, which requires specialised computer skills.

Surely, the victim should report the attack on the competent authorities, with the aim of detecting and punishing the perpetrators.

It is equally important to isolate the contaminated device in order to avoid the spread of the virus. The device must therefore be disconnected from the internet. Also, all storage devices should be disconnected from the contaminated machinery as well as from the cloud storage. If the victim follows this advice, then he should recognise the infection. This is usually easily understood by text messages left by attackers on the victim’s screen.

Without doubt, If the victim is to avoid a further attack but also to manage an existing one better, he or she must keep backup. This is an essential process for data security and protection.

Finally, even if there are decryption tools for some variants of STOP, the fact is that most of the time the victim will have to pay to retrieve his files.

In any case, the personnel of an organisation should receive the necessary training so that they do not fall victim to social engineering attacks.

You can contact Tictac to organise cyber security training for your employees.