A new set of tools from Emsisoft allows most of STOP ransomware victims to recover their data for free
New Zealand-based antivirus maker Emsisoft has excellent news for STOP (Djvu) ransomware victims: a free decryption tool was released, and it currently works for 148 out 160 variants in existence. Unfortunately, those infected with versions that came out after August 2019 will not be able to use the new tool for data recovery, although other possible solutions are available.
STOP ransomware is among the most prominent malware strains and, as reported by Emsisoft's ransomware statistics for 2019 Q2 to Q3 report, accounts for around 56% of all infections worldwide. With 160 variants released so far, the ransomware managed to infect about 116,000 victims, although these numbers are only based on AV detections and submissions on relevant websites. Emsisoft estimates that the actual number of those affected by STOP ransomware is by far higher – approximately 460,000
Michael Gillespie, one of the researchers who work with Emsisoft and helps users to recover ransomware-locked data for free, said that the developed tool is “more of a complicated decryption tool than you would normally get,” as never-previously used methods were used to create it:
We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.
Most users infect their machines with STOP variants after downloading illegal software cracks
The level of destruction ransomware can bring is so devastating because of its sophisticated operation, and while the security industry is vigorously fighting the malware with free decryption tools, there are most likely more infections that cannot be decrypted at all. While multiple STOP variants are enhanced with different functionality, the file locking function remains its primary goal.
Most of the recent STOP variants are distributed via software cracks and keygens that are placed on illegal torrent/warez websites. The illegal executables allow users to unlock otherwise paid software and use it for free on their devices. In some cases, however, those who launch the crack also infect their machines with ransomware, which appends all personal files with .gero, .cezor, .masodas, or another extension, preventing further access. To recover the unique key that was used to lock files, victims are asked to pay $490 ransom, which later increases to $980.
STOP ransomware encrypts victims' files with either a key which is acquired from the attackers' server (online) or an offline key that was unable to reach it. Many users were affected by the latter, as the malware often failed to reach a dedicated server due to it being down relatively often.
STOP ransomware is most prevalent in Europe, South America, Africa, and Asia, although some victims in the US were affected as well. No detections from Russia were present, as victims from the area are filtered with the help of preset keyboard language checks.
Several sets of rules need to be met in order for the Emsisoft's decryptor to work
While the new decryption tool for most of STOP variants is great news, it will require users to put some effort into making it work. The decryption service is possible when encrypted, and the original files are compared to each other (or, rather, the first five bytes). Thus, victims will have to find a working file and upload it along with an identical locked copy – this process needs to be repeated for all file types, such as .pdf, .doc, .jpg, etc. The file also needs to be at least 150KB large.
Even after fulfilling these requirements, however, Emsisoft said that the decryptor would only work for victims affected by 148 variants of 160, which means that those affected by the latest 12 variants will not be eligible for decryption. Researchers also asked users to backup the encrypted data, as new tools might be created in the future:
Unfortunately, this tool will not work for every victim as it can only recover files encrypted by 148 of the 160 variants. We estimate that this will enable approximately 70% of victims to recover their data. For people affected by the remaining 12 variants, no solution currently exists and we are unable to offer further assistance at this point in time. We recommend that those who find themselves in this position archive the encrypted data in case a solution becomes available in the future.
If you were affected by older .Puma, .Pumas or .Pumax or the uppercase version of the virus, you can download STOP Puma Decryptor, which will work for all of your files. If you are one of those who were affected by the newest variants of Djvu, you could still try a decryption tool that sometimes works for a file encrypted with an offline key.