STOP Ransomware Decryptor Released for 148 Variants

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Lock

A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows you to decrypt files encrypted by 148 variants of the infection for free.
While the decryptor can recover files for 148 variants, it needs to be noted that anyone who was infected after August 2019 cannot be helped with this service. With that said, it may be possible to decrypt using an offline key, so even with these variants there may be some success.
STOP Ransomware
Last month we introduced you to the STOP Ransomware, which is the most widely distributed ransomware that is currently active. This ransomware is distributed by adware bundles that masquerade as software cracks, pirated games (warez), and free software downloads.
When a user installs one of these downloads, their computer will become infested with malicious browser extensions, click fraud trojans, adware, and the STOP Ransomware.
While the exact number of victims is hard to determine, there have been 116,000 submissions to ransomware identification site ID Ransomware related to this infection. This makes it the most submitted family of ransomware on the site followed by the Dharma Ransomware.
Top Detections at ID Ransomware
Top Detections at ID Ransomware
While there are some victims from the United States, most of the victims are from Europe, Asia, South American, and Africa. As expected, there are no victims from Russia, which is most likely due to language checks in the adware bundles.
STOP Heat Map
STOP Heat Map
The release of Emsisoft's STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer.
Since the STOP Ransomware was released, this infection has had the most requests for help decrypting files that we have seen since TeslaCrypt. This has led to a monstrous STOP Ransomware support topic at BleepingComputer containing 526 pages of support requests.
Volunteers at BleepingComputer have worked tirelessly trying to help these victims, but in many cases it was in vain. With the release of this decryption service, victims can finally get help in recovering their files.
All support for this decryptor will be handled in the BleepingComputer STOP Support and Help topic, so please post there with any issues.
How to decrypt STOP Djvu Ransomware encrypted files
Once again, if your files were encrypted after August 2019, then you are encrypted with a new version that the decryptor does not support and these instructions do not apply. You should instead download the decryptor to see if Emsisoft has been able to gain access to an offline key and if that will help with your files.
If you are using an older variant that you think is supported, before you can decrypt your files with Emsisoft's STOP Djvu Ransomware decryption service, confirm if you were encrypted with a supported extension. The list of supported extensions are:
.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .moka, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora

If you are infected with the .puma, .pumas, or .pumax extensions of the earlier STOP Ransomware variants, you can skip all of the following steps and instead download the STOP Puma decryptor.
In order to use the service, you first need to find some encrypted files and their originals that match the following requirements and train the decryption service using them.
  • Must be the same file before and after encryption
  • Must be a different file pair per file type you wish to decrypt
  • Must be at least 150KB
To be clear, for each file type (doc, docx, xls, xlsx, png, etc) you want to decrypt, you must also upload an encrypted and unencrypted pair in order to train the service. Once the service is trained with a file type, it can be used to decrypt all files on your computer of that same type.
The best way to find encrypted and unencrypted file pairs are to look for encrypted images or files that were downloaded from the Internet. That way you can download the original location so that you have an unencrypted version.
Once you have a pair of files, go to Emsisoft | STOP Djvu Decryption and upload the files using the page's form.
Emsisoft STOP Ransomware Decryption Service
Emsisoft STOP Ransomware Decryption Service
After pressing the SUBMIT button, it will change to a rotating circle to show that it is processing your files. Please be patient at this point as it may take some time to complete.
When done, the service will tell you if the files were properly processed, and if so, will provide a link to the decryptor.
Files Processed
Files Processed
Click on the link to download the STOP Decryptor and then double-click on it to launch the program. As this decryptor requires a working Internet connection, please make sure you are connected before proceeding.
When launching the program, it will display a UAC prompt asking if you would like to allow the program to make changes to your computer. At this prompt, you should click on the Yes button.
A license screen and a small instruction screen will then be displayed. Please read through both of these screens and acknowledge them to continue.
The main decryptor screen will now be displayed with the C:\ drive already selected to be decrypted.
STOP Decryptor
STOP Djvu Decryptor
Add the folders you wish to decrypt or go with the default selection of the entire C:\ drive and click on the Decrypt button.
The decryptor will begin to decrypt all file types that you used to train the service.
Decrypting Files
Decrypting Files
While decrypting, if the decyrptor is unable to decrypt a particular file type, you need to train the service by uploading encrypted and unencrypted pairs of those files. Once you do so, you then click on the Decrypt button again to have it handle that particular file type.
 
Last edited by a moderator:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
While STOP (Djvu) may not be as well known as Ryuk and Sodinokibi, with 160 variants, more than 116,000 confirmed victims and an estimated total of 460,000 victims, it is by far the most active and widespread ransomware today. But there’s good news. We’ve just released a free decryption tool for it.

Read the rest here:

Efforts to help STOP victims have truly been a community collaboration! The good people at Bleeping Computer, for one, have helped numerous STOP victims by guiding them through the decryption process, supplying offline keys and samples and more.
Because of the very large number of people affected by STOP, we’re unable to provide one-on-one support for this tool. If you need help using the decryptor, please visit the STOP support topic at Bleeping Computer. The community members will be happy to provide assistance and we offer big, big thanks for their help.

From Bleeping Computer:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top