This is fourth iteration of notorious STOP Ransomware, that was launched in November, 2018. Now it adds .DATAWAIT, .INFOWAIT or .shadow extensions to encrypted files. Virus uses new name for ransom note: !readme.txt. It pretends to be a Windows update and uses the TeamViewer resource. Ransomware still uses RSA-1024 encryption algorithm. Current version of STOP Ransomware was developed in Visual Studio 2017. This variation of STOP Ransomware demands $290 ransom for decryption. Malefactors offer 50% discount, if users pay in 72 hours. At the moment, there are no decryption tools availabe for STOP Ransomware.
Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.
In this article we descrbe third generation of STOP Ransomware, previous two versions were described by our team earlier. This variation was actively spreaded in August and September, 2018. Virus already attacked users from 25 countries including Brazil, Chile, Vietnam, USA, United Arab Emirates, Egypt, Algeria, Indonesia, India, Iran, Poland, Belarus, Ukraine. This variation uses uses symmetric and asymmetric cryptography and adds .KEYPASS, .WHY or .SAVEfiles extensions to the files after encryption. Intruders demand $300 ransom for decryption. They offer to decrypt up to 3 random files for free, to prove that decryption is possible. Hackers also warn, that if amount is not paid within 72 hours data restoration will be impossible.
Updated version of STOP Ransomware ransomware appends .PAUSA, .CONTACTUS, .DATASTOP or .STOPDATA suffixes to encrypted files. Virus still uses RSA-1024 encryption algorithm. All versions, except .STOPDATA, demand $600 ransom in BTC (BitCoin cryptocurrency), last one offers decryption for $200. Still malefactors offer to decrypt from 1 to 3 files for free to prove, that decryption is possible. This can be used to attempt decoding in future. At the moment, unfortunately, the only way to restore your files is from backups.
STOP Ransomware is dangerous file-encrypting virus. It uses AES/RSA-1024 encryption algorithm. Depending on version, ransomware adds .STOP, .SUSPENDED or .WAITING extensions to encrypted files. First variant of STOP Ransomware creates !!!YourDataRestore!!!.txt files, second !!!RestoreProcess!!!.txt, third !!!INFO_RESTORE!!!.txt. In this files, malware demands $600 ransom, that has to be paid in 72 hours, in BitCoins. It also contains user personal id and e-mail addresses for contacting.