Ransomware

Have you ever heard of the STOP Ransomware? Probably not, as few write about it, most researchers don't cover it, and for the most part it targets consumers through cracked software, adware bundles, and shady sites.

Ryuk, GandCrab, and Sodinkibi get huge and deserved media attention because they generate giant ransom payments, can halt business and local governments, and affect enterprise customers, which are the bread and butter for AV companies.

Yet, based on Michael Gillespie's ID Ransomware submissions and support requests at BleepingComputer, for the past year it has been the most actively distributed ransomware in the wild.

To give you some perspective, the ransomware identification service ID Ransomware gets approximately 2,500 ransomware submissions a day. Of those, between 60-70 % are STOP ransomware submissions.

September STOP Ransomware submissions
September STOP Ransomware submissions

This amount of submissions beats out any other ransomware that users are submitting to the service when trying to get help.

STOP Ransomware submissions over a year
STOP Ransomware submissions over a year

STOP is getting so big that the image above looks like Pacman eating all of the other ransomware!

Cracks, Adware bundles, and shady sites

In order to distribute STOP, the ransomware developers have teamed up with shady sites and adware bundles.

These sites promote fake software cracks or free programs, which are really adware bundles that install a variety of unwanted software and malware onto a user's computer. One of the programs installed via these bundles is the STOP Ransomware.

Some of the reported cracks that are have been seen installing STOP include KMSPico, Cubase, Photoshop, and antivirus software.

Crack

It is not only cracks, though, as many of these shady sites offer downloads of free software, but are simply just adware bundles that install the ransomware.

Even worse, some of these variants also bundle the Azorult password stealing Trojan with the ransomware for a double-attack on the victim.

Otherwise, there is nothing particularly special about the STOP Ransomware.  It encrypts just like any other ransomware, appends an extension, and drops a ransom note. 

What makes it so much of a pain is the sheer amount of variants that keep being released. In fact right now, there are more than 159 variants that we know about.

Users are desperate

Gillespie has had some success helping victims recover their files through his decryption tool STOPDecryptor that includes offline decryption keys that the ransomware uses when it couldn't communicate with the C2. The ransomware researcher has also had limited success in helping those who were infected with unique keys.

This has been an arduous task, though, with the ransomware pumping out sometimes 3-4 variants a day and thousands of victims needing help at one time.

Unfortunately, the encryption has changed and Gillespie will no longer be able to offer as much support as he was previously able to.

For already desperate users, this news makes it even worse as many are unable to afford the $490 ransom, which doubles after 72 hours to $980.

STOP Ransom Note
STOP Ransom Note

This leads users to leave constant support requests at BleepingComputer and in unrelated tweets by Gillespie.

While some may say that these victim had it coming because they downloaded cracks, it is important to remember that we never want to let the ransomware developers generate ransom payments as it only leads to more ransomware being created.

Related Articles:

Meet Brain Cipher — The new ransomware behind Indonesia's data center attack

Infosys McCamish says LockBit stole data of 6 million people

BlackSuit ransomware gang claims attack on KADOKAWA corporation

Rafel RAT targets outdated Android phones in ransomware attacks

Chinese Cyberspies Employ Ransomware in Attacks for Diversion