Have you ever heard of the Ransomware STOP? Most researchers probably don’t, as few write, cover it and it mostly targets customers through cracked software, adware bundles and shady websites.
Ryuk, GandCrab and Sodinkibi receive enormous and deserved media attention as they produce enormous ransom payments, stop businesses and local authorities and impact company clients which are bread and butter for AV businesses.
However, based on ID Ransomware submissions and support requests of Michael Gillespie , it was the most active in the wild during the last year.
To provide you with some perspective, the ransomware identification service ID Ransomware receives approximately 2,500 ransomware submissions per day. Of these, 60-70 percent are STOP ransomware applications.
September STOP Ransomware submissions
This quantity of submissions beats any other ransomware customers submit to the service when they try to get assistance.
STOP Ransomware submissions over a year
STOP is getting so large that the above picture looks like Pacman eats all the ransomware!
Cracks, bundles of adware and shady locations
The ransomware developers have teamed up with shady locations and adware bundles to distribute STOP.
These websites encourage false software cracks or free programs, which really are bundles of adware which install various unwanted software and malware on the desktop of a user. STOP Ransomware is one of the programs installed via these packages.
Some of the cracks recorded for the STOP installation include KMSPico, Cubase, Photoshop and antivirus software.
It isn’t just cracks, however, because many of these shady locations give free software downloads, but merely adware packages install ransomware.
Worse still, some of these versions also combine the Azorult password stealing Trojan with the ransomware to attack the victim.
There’s nothing unique about STOP Ransomware otherwise. Like any other ransomware, it encrypts, adds an extension and sends a ransom note.
What makes it so painful is the sheer number of versions that are published. There are actually more than 159 variations that we know about right now.
Users are hopeless
Gillespie was successful in assisting victims retrieve their files via its decryption tool STOPDecryptor , which contains offline decryption keys used by ransomware when it was unable to interact with the C2. The investigator from ransomware has also had restricted success in assisting those infected with unique keys.
This was a tough job, however, with the ransomware sometimes pumping out three to four versions per day, and thousands of victims needed assistance at once.
The encryption has unfortunately altered and Gillespie will not be able to provide as much assistance as before.
This news is even worse for already hopeless customers because many are unable to afford the $490 rescue, which amounts to $980 after 72 hours.
STOP Ransom Note
This causes users to leave continuous support requests and Gillespie’s unrelated tweets.
While some people may say that those victims were here because they downloaded cracks, it is essential not to forget that we will never allow ransomware developers to produce ransom payments as this only leads to more Ransomware.