This is fourth iteration of notorious STOP Ransomware, that was launched in November, 2018. Now it adds .DATAWAIT, .INFOWAIT or .shadow extensions to encrypted files. Virus uses new name for ransom note: !readme.txt. It pretends to be a Windows update and uses the TeamViewer resource. Ransomware still uses RSA-1024 encryption algorithm. Current version of STOP Ransomware was developed in Visual Studio 2017. This variation of STOP Ransomware demands $290 ransom for decryption. Malefactors offer 50% discount, if users pay in 72 hours. At the moment, there are no decryption tools availabe for STOP Ransomware.
QIP.ru is potentially unwanted third-party russian search engine and news website, powered by Yandex.ru. It infects user’s computers along with QIP Surf browser, built on Chromium platform. It installs without user’s permission and replaces default browser. QIP.ru is also spread separately in Google Chrome, Mozilla Firefox or Internet Explorer and replaces default search and homepage in this browsers.
Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.
MacPerformance is malicious application for MacOS, that belongs to OSX Pirrit adware family. It controls settings of Safari, Google Chrome, Mozilla Firefox to create redirects and display ads and pop-ups. It infiltrates Mac computers invisibly or by fraud and starts to generate advertisements, showing phishing pages, encouraging users to download potentially unwanted applications. Sometimes MacPerformance is offered to be installed in a bundle with good applications, and users, confused by the name of the program, think that this is optimisation software for MacOS, and allow installation.
Dharma virus, unlike similar types of ransomware, does not change desktop background, but creates README.txt or Document.txt.[email@example.com].zzzzz files and places them in each folder with compromised files. Text files contain message stating that users have to pay the ransom using Bitcoins and amount is approximately $300-$500 depending on ransomware version. The private decryption key is stored on a remote server, and there currently impossible to break the encryption of the latest version.