STOP Ransomware is large family of encryption viruses with over than a year history. It has undergone multiple visual and technical modifications during the time. This article will describe peculiar properties of latest versions of this malware. Since the end of March, STOP Ransomware started to add following extensions to encrypted files: .raldug, .refols, .roland, .tronas or .trosak. The cost of decryption of files encrypted by STOP Ransomware is $980 (or for $490, if ransom is paid within 72 hours). Hackers should send special decryption tool, that will decode affected files. However, we must warn the victims, that malefactors often don’t keep promises, and don’t send the decoder. We recommend you to remove active infection of STOP Ransomware and use decryption tools available. STOPDecrypter is capable of decryption of .raldug, .refols, .roland, .tronas or .trosak files. You can also try manual guide in this article to attempt restoring files.
Notorious STOP Ransomware continues its distribution with minor modifications. Since the end of February 2019, new extensions appeared: .kropun, .kropun1, .kroput or .kroput1. At the same time, it distributes the AZORult trojan-stealer, which steals confidential information. It is capable of stealing various user data: information from files, browser history, passwords, cookies, online banking credentials, crypto-currency wallets, and more. Virus modifies the hosts file to block Windows updates, antivirus programs, and sites related to security news, selling antivirus software. This version of STOP Ransomware still uses following e-mail addresses: firstname.lastname@example.org and email@example.com.
Promos Ransomware is another generation of STOP Ransomware family from the same authors. This virus aims important user’s files, such as documents, photos, databases, music, mail. Ransomware encodes them with AES encryption and adds .promos, .promoz,.promock, .promorad, .promorad2 or .promok extensions to affected files. All these variations use similar algorithms, however, to this moment only .promos files encrypted by STOP Ransomware can be decrypted using STOPDecrypter (provided below). Authors of Promos Ransomware promise to send decryption tool for encrypted files in exchange for $980 (or for $490, if ransom is paid within 72 hours). We must warn the victims, that malefactors often don’t keep promises, and cheat users without sending a decoder. We recommend you to remove active infection of STOP Ransomware and use decryption tools available for .promos files. Keep encrypted files, that cannot be decrypted yet (.promoz, .promok, .promock, .promorad), to the moment, when decryption tool will be updated. Now you should try manual guide in this article to restore files. Usage of file-recovery software can also help users return some copies of files, that were removed earlier.
Cr1ptT0r Ransomware is new type of ransomware, that uses network disk array vulnerability to infect user’s computers. This crypto ransomware encrypts data on network (cloud, NAS, Network Attached Storage) storage using a special encryption algorithm, and then requires a ransom of ~ 0.3 BTC to return files. Original title Cr1ptT0r is indicated in the ransom note and on the page on the OpenBazaar website. Developers call themselves a Cr1ptT0r team. The ELF ARM binary is used for Linux systems with a focus on embedded devices, but depending on the manufacturer it can be adapted for Windows. Virus creates 2 files: _FILES_ENCRYPTED_README.txt and _cr1ptt0r_support.txt. The Sodium crypto library and the asymmetric encryption algorithm “curve25519xsalsa20poly1305” (Curve25519, Salsa20, Poly1305) are used for encryption. The open 256-bit encryption key is located in the cr1ptt0r_logs.txt file, which also stores the list of encrypted files, and it is also added to the end of the encrypted files, just before the marker. Cr1ptT0r Ransomware uses the OpenBazaar site to “support” the affected and selling the decoder. There are no decryption tool available yet, however, using instructions in this article can help you recover encrypted files. Follow the guide below to remove Cr1ptT0r Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.
Phobos Ransomware is a virus, that encrypts user files using AES encryption algorithm and demands ~$3000 for decryption. Ransomware adds .phobos extension to encoded files and makes them inaccessible. In order to confuse users and researchers Phobos Ransomware uses file-modification patterns and ransom notes similar to very wide-spread Dharma Ransomware. Especially after design change in January, 2019, when they started to look like identically. However, there are certain differences in file-markers and appearance. After contacting the developers via one of the provided e-mails, they demand $3000 in BitCoins for decryption to be paid in 6 hours. Otherwise the cost of decryption will increase up to $5000. At the moment automated decryptors for Phobos Ransomware do not exist. There is no proof, that malefactors send decryptors to the victims, that is why we do not recommend paying the ransom. Instead, try using instructions on this page to recover encrypted files. File-recovery software can restore some files from your hard-drive.