Bleeping Computer drew attention to the STOP ransomware ransomware, which is one of the most active threats this year, along with Ryuk, GandCrab and Sodinkibi, according to the ID Ransomware service created by the renowned CSI expert Michael Gillespie.
The prevalence of STOP is also confirmed by the extremely active branch of the Bleeping Computer forum, where victims are looking for help. However, this encryptor is hardly mentioned or written about. The fact is that this smallvar attacks mainly pirate content lovers, visitors to suspicious sites and spreads as part of the advertising bundles.
Ransomware ID receives approximately 2,500 reports of ransomware attacks per day. And about 60-70% of them are reports of STOP encryption attacks, which leaves other extortionists far behind.
Gillespie and experts Bleeping Computer note that the encryptor acts on the classic scheme: encrypts files, adds them a new extension and places on the infected machine a note with a demand for ransom (Malvar requires 490 dollars, but the amount doubles in 72 hours to $ 980). Odanko today there are more than 159 variants of STOP, which are known to researchers, and this variety significantly complicates the situation.
For example, Gillespie has made some progress in helping victims of data encryption to recover files, and created the STOPDecryptor tool, which includes standalone decryption keys used by the extortionist when he can’t contact the management server. The specialist has also been able to help a number of users whose machines have been encrypted using unique keys.
However, helping the victims was a difficult task: sometimes the ransomware authors released 3-4 versions a day, and thousands of people needed help at the same time. Also, as a result, STOP encryption has changed, and Gillespie can no longer offer help to all victims.
As a result, the Bleeping Computer forum’s help branch already has more than 500 pages, and desperate users will regularly forgive Gillespie for help on social networks. Thus, almost any researcher’s tweet instantly responds with pleas for help in decrypting files after the STOP attack.