Tutorials

STOP Ransomware is a large family of encryption viruses with over than year history. It has undergone multiple visual and technical modifications during the time. This article will describe the peculiar properties of the latest versions of this malware. Since the end of July, STOP Ransomware started to add following extensions to encrypted files: .access, .format, .ntuseg or .ndarod. They are sometimes called "Access Ransomware", "Format Ransomware", "Ntuseg Ransomware" and "Ndarod Ransomware" respectively. Virus modifies the "hosts" file to block Windows updates, antivirus programs, and sites related to security news. The process of infection also looks like installing Windows updates, the malware generates a fake window and progress bar for this. The cost of decryption of files encrypted by STOP Ransomware is $980 (or for $490, if the ransom is paid within 72 hours). Hackers should send special decryption tool, that will decode affected files. However, we must warn the victims, that malefactors often don't keep promises, and don't send the decoder. We recommend you to remove the active infection of STOP Ransomware and use decryption tools available. STOPDecrypter is capable of decryption of .access, .format, .ntuseg or .ndarod files. You can also try a manual guide in this article to attempt restoring files. Usage of file-recovery software can also help users recover some copies of files, that were removed earlier.

STOP Ransomware is computer virus-extortioner, with a global impact. It was developed by cyber-racketeers to blackmail users worldwide. Malware blocks access to user's documents, photos, databases, music, mail, archives by encrypting them with AES encryption algorithm and demand ransom from $490 to $980. The modification of the virus, that we are investigating now adds .novasof, .bopador, .todar or .dodoc extensions to affected files and has many other characteristic signs. For example, all latest versions of STOP Ransomware use _readme.txt ransom note file with typical message. The particular version under research today, uses following e-mail addresses: gorentos@bitmessage.ch and gorentos2@firemail.cc. Developers of STOP Ransomware promise to send decryption tool in exchange for $980 (or for $490, if the ransom is paid within 72 hours). There is no reason to trust the hackers and succumb to intimidation. There is a chance to return your data and decrypt .novasof, .bopador, .todar or .dodoc files without paying the ransom. You need to remove malware from your computer using one of the certified tools provided in the article.

Darus Ransomware, Lapoi Ransomware, Gusau Ransomware and Tocue Ransomware are next generations of STOP Ransomware family from the same authors. This virus aims important user's files, such as documents, photos, databases, music, mail. Ransomware encodes them with AES encryption and adds .darus, .lapoi, .gusau or .tocue extensions to affected files. All these variations use similar algorithms, that are unbreakable, however, in certain conditions .darus, .lapoi, .gusau and .tocue files can be encrypted by STOP Ransomware can be decrypted using STOPDecrypter (provided below). This version of STOP Ransomware uses following e-mail addresses: gorentos@bitmessage.ch and varasto@firemail.cc. STOP Ransomware creates _readme.txt ransom note file. Authors of Darus, Lapoi, Gusau and Tocue Ransomware promise to send decryption tool for encrypted files in exchange for $980 (or for $490, if the ransom is paid within 72 hours). We must warn the victims, that malefactors often don't keep promises, and cheat users without sending a decoder. We recommend you to remove the active infection of STOP Ransomware and use decryption tools available for .darus, .lapoi, .gusau or .tocue files. If decryption is impossible at the moment, keep encrypted files, that cannot be decrypted yet, to the moment, when the decryption tool will be updated. It's easy to find and copy encrypted files on your computer using CryptoSearch utility. Now you should try manual guide in this article to restore files.

Notorious STOP Ransomware continues its distribution with minor modifications. Since the middle of July 2019, new extensions appeared: .vusad, .gehad, .madek or .berosuce. At the same time, it distributes the AZORult trojan-stealer, which steals confidential information. It is capable of stealing various user data: information from files, browser history, passwords, cookies, online banking credentials, crypto-currency wallets, and more. Virus modifies the hosts file to block Windows updates, antivirus programs, and sites related to security news, selling antivirus software. This version of STOP Ransomware still uses following e-mail addresses: gorentos@bitmessage.ch and varasto@firemail.cc. Authors of STOP Ransomware promise to send decryption tool for encrypted files in exchange for $980 (or for $490, if the ransom is paid within 72 hours). We must warn the victims, that malefactors often don't keep promises, and cheat users without sending a decoder. We recommend you to remove the active infection of STOP Ransomware and use decryption tools available for .vusad, .gehad, .madek or .berosuce files. STOPDecrypter can decrypt encrypted data in certain circumstances.

Phobos Ransomware is a virus, that encrypts user files using AES encryption algorithm and demands ~$3000 for decryption. Ransomware adds .phobos, .mamba, .phoenix, .actin, .actor, .blend, .adage .acton, .com, .adame, .acute, .karlos or .Frendi extensions to encoded files and makes them inaccessible. In order to confuse users and researchers Phobos Ransomware uses file-modification patterns and ransom notes similar to very wide-spread Dharma Ransomware. Especially after design change in January 2019, when they started to look like identically. However, there are certain differences in file-markers and appearance. After contacting the developers via one of the provided e-mails, they demand $3000 in BitCoins for decryption to be paid in 6 hours. Otherwise, the cost of decryption will increase up to $5000. At the moment automated decryptors for Phobos Ransomware do not exist. There is no proof, that malefactors send decryptors to the victims, that is why we do not recommend paying the ransom. Instead, try using instructions on this page to recover encrypted files. File-recovery software can restore some files from your hard-drive.