STOP Ransomware is file-encrypting ransomware-type virus, that encrypts user files using AES (режим CFB) encryption algorithm. DJVU Ransomware is identified as variation of STOP Ransomware. Virus appends .djvu, .udjvu or .djvuu extension to encrypted files, what can embarrass some users, as this is popular file format for e-books and storing scanned documents. When encryption is finished DJVU Ransomware places _openme.txt text file with following content in the folders with affected files and on the desktop.
Tfude Ransomware, which is actually next generation of STOP Ransomware appeared in January of 2019. This virus encrypts user’s essential files, such as documents, photos, databases, music with AES encryption and adds .tfude (later started to append .tfudet and .tfudeq) extensions to affected files. This ransomware is almost identical to .puma Ransomware and .djvu Ransomware, and belongs to the same authors, because it uses the same e-mail adresses (email@example.com and firstname.lastname@example.org) and same BitCoin wallets. Tfude variation of STOP Ransomware displays fake Windows Update pop-up during the process of file encryption. From the file above we can understand, that hackers offer 50% discount for decryption, if ransom amount is paid within 72 hours. However, this is just a trick to encourage people to pay the ransom. Often hackers don’t send decryptor after this. We recommend you to remove executables of STOP Ransomware and save those encrypted files to the time, when decryption tool appears. Before that, you can try manual instructions described in this article to restore files.
This article contains information about version of STOP Ransomware that adds .pdff, .tro or .rumba extensions to encrypted files, and creates _openme.txt ransom note file on the desktop and in the folders with affected files. This variation first appeared in January, 2019 and almost identical to previous .puma Ransomware and .djvu Ransomware. Ransomware virus still uses AES encryption algorithm and still demands ransom in BitCoins for decryption. All three varieties belong to one author, because they are using the same e-mail addresses for communication: email@example.com and firstname.lastname@example.org. From the file above we can learn, that hackers offer 50% discount for decryption, if ransom amount is paid within 72 hours. However, from our experience, this is just a trick to encourage person to pay the ransom. Often malefactors don’t send decryptor after this. We recommend, that you remove active infection of STOP Ransomware and preserve your files until decryption tool appears. Until that time, you can try manual instructions on this page to attempt restoring encrypted files.
This is fourth iteration of notorious STOP Ransomware, that was launched in November, 2018. Now it adds .DATAWAIT, .INFOWAIT or .shadow extensions to encrypted files. Virus uses new name for ransom note: !readme.txt. It pretends to be a Windows update and uses the TeamViewer resource. Ransomware still uses RSA-1024 encryption algorithm. Current version of STOP Ransomware was developed in Visual Studio 2017. This variation of STOP Ransomware demands $290 ransom for decryption. Malefactors offer 50% discount, if users pay in 72 hours. At the moment, there are no decryption tools availabe for STOP Ransomware.
Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.