Severity scale:  
  (99/100)

Remove STOP ransomware (Removal Guide) - updated Jul 2019

removal by Gabriel E. Hall - - | Type: Ransomware

STOP ransomware is still an active file locking virus that uses the elaborate scheme to extort money in 2019

STOP cryptovirus
STOP ransomware is asking $600 ransom to recover encrypted files.

Questions about STOP ransomware

STOP ransomware is a data-locker that first made its appearance in December 2017. The malware uses a combination of AES and RSA algorithms to encrypt data and add .STOP file extension. However, new versions have been emerging almost every month and at the moment the virus is appending the following extensions: .SAVEfiles, .puma, .pumas, .pumax, .shadow, .keypass, and many others. It is also worth mentioning that one of the most notorious variants is Keypass ransomware and Djvu ransomware that made headlines[1] when they targeted victims from over 20 countries. At the moment, Djvu ransomware is the most active version of STOP ransomware that has been demanding a ransom of $300 – $600 for data decryptor. The malware is using _openme.txt, !readme.txt or similar ransom notes, and urging users to contact crooks via restoredjvu@firemail.cc, stopfilesrestore@bitmessage.ch, helpshadow@india.com or similar email addresses.

Summary of the cyber threat
Name STOP ransomware
Type Cryptovirus
Encryption algorithm AES and RSA-1024
Appended file extensions .STOP, .SUSPENDED , .WAITING, .CONTACTUS, .DATASTOP, .PAUSA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .puma, .pumax, .pumas, .shadow, .djvu. .djvuu. .djvus, .udjvu, .uudjvu, .kroput1, .charck, .kropun, .doples, .luces, .luceq, .chech, .pulsar1, .proden
Ransom notes

!!! YourDataRestore !!! txt,
!!RestoreProcess!!!.txt,
!!!!RESTORE_FILES!!!.txt,
!!!DATA_RESTORE!!!.txt
!!!DECRYPTION__KEYPASS__INFO!!!.txt
!!!WHY_MY_FILES_NOT_OPEN!!!.txt
!!SAVE_FILES_INFO!!!.txt
!readme.txt

The size of the ransom $300 – $600
Contact email addresses

stopfilesrestore@bitmessage.ch
topfilesrestore@india.com
suspendedfiles@bitmessage.ch
suspendedfiles@india.com
decryption@bitmessage.ch
BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch
keypassdecrypt@india.com
decryptionwhy@india.com
savefiles@india.com
helpshadow@india.com
helpshadow@firemail.cc
restoredjvu@india.com
restoredjvu@firemail.cc 

Distribution methods Malicious spam emails, hacked websites, exploits, brute-force attacks, etc.
Decryptor Download from here (direct download)
To get rid of the ransomware, install Reimage and run a full system scan

STOP ransomware was initially discovered in December 2017. However, new variants appeared in August 2018 and some previous months. All of them behave similarly but appends new file extensions to the targeted data, provides slightly different ransom notes and use new contact email addresses.

The original version of malware[2] adds .STOP file extension to make files inaccessible on the affected Windows computer. As soon as STOP ransomware finishes the encryption procedure, the virus delivers a ransom note in “!!! YourDataRestore !!! txt” file. The message of the crooks tells that victims have to pay the ransom in 72 hours.

Authors of STOP virus demand to pay $600 in three days time. In order to give proof, hackers allow sending 1-3 “not very big” files for free test decryption to stopfilesrestore@bitmessage.ch or stopfilesrestore@india.com. However, these might be the only files you manage to get after the ransomware attack. Once you pay the ransom, crooks might disappear because they get what they wanted from you.

However, we want to stress out that paying the demanded price to the cybercriminals is a very risky task which may lead to a huge money loss. Once you pay those $600, you might be asked to pay for more. If you disagree or be left without promised decryption option, no one will help you to trace the criminals and get your money. So better avoid any contact with the crooks and check out the official STOP virus decryptor that you can find below this article.

STOP files virus
STOP ransomware is spreading around with four different extensions: .STOP, .SUSPENDED, .CONTACTUS, .DATASTOP.

Therefore, we highly recommend forgetting about data recovery at the moment. The most important task is to remove STOP ransomware from the computer in order to make the system safe. For this reason, we suggest scanning the affected machine with anti-malware software like Reimage to remove STOP ransomware virus. 

It's crucial to use professional security tools because this cyber threat might alter Windows Registry,[3] create new keys, install malicious files or affect legitimate system processes. It means that manual termination is nearly impossible. If you try to located and delete these entries yourself, you might cause damage to your machine. Hence, do not risk!

Once you take care of STOP ransomware removal, you can safely plug in external storage drive with backups or export needed files from cloud storage. If you haven't backed up your files yet and cannot perform full data recovery, you should try third-party tools that we mentioned at the end of the article. Hopefully, some of the files will be rescued. Furthermore, experts recently released an original decryptor for this ransomware that can recover some data and we have provided it below the article.

New variants of ransomware have been appearing almost every month in 2018

Suspended ransomware

At the beginning of the year, in February, malware researchers reported about STOP malware variant that uses .SUSPENDED file extension to lock documents, multimedia, databases, archives, and many other files. The behavior of ransomware is similar to the previous version, but it downloads a different ransom note after file encryption.

Suspended ransomware provides recovery instructions in ”!!RestoreProcess!!!.txt file and asks to send unique victim's ID and preferred sample files for the decryption to suspendedfiles@bitmessage.ch or suspendedfiles@india.com email addresses. The size of the ransom and deadline remain the same.

STOP virus encrypted data
STOP ransomware came back with another version - Suspended ransomware.

CONTACTUS ransomware

At the end of May, another variant of STOP ransomware virus hit the surface. This version is using .CONTACTUS file extension to lock targeted files. Not only the appended suffix was changed. Crooks also renamed data recovery instructions, and now the document where all recovery options are provided is called !!!RESTORE_FILES!!!.txt. The contact email addresses were changed to decryption@bitmessage.ch and decryption@india.com:

All your important files were encrypted on this PC.
All files with .CONTACTUS extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.

To decrypt your files, you need to obtain private key + decrypt software.

To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.

Your personal id:
[redacted 40 characters]

E-mail address to contact us:
decryption@bitmessage.ch

Reserve e-mail address to contact us:
decryption@india.com

SaveFiles ransomware

Another STOP ransomware version emerged in September 2018. After using urpress.exe file as the main executable, this ransomware encrypts your data and marks locked files with .SAVEfiles appendix. Like other versions, this threat does this with the help of AES and RSA encryption methods. After the file modification, ransomware places a ransom note called !!!SAVE_FILES_INFO!!!.txt on every file that contains encrypted data.

The ransom note contains the following text:

WARNING!

Your files, photos, documents, databases and other important files are encrypted and have the extension: .SAVEfiles
The only method of recovering files is to purchase an decrypt software and unique private key.

After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.

You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.

Price for decryption $500.
This price avaliable if you contact us first 72 hours.

E-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch

Reserve e-mail address to contact us:
savefiles@india.com

Your personal id:

As you can see, virus developers claim they have the tool for file recovery and decryption and encourage people to contact them via savefiles@india.com email. You shouldn't do that because criminals are not worthy of your trust. Better follow a provided guide to remove STOP ransomware. For that, you can use programs like Reimage or SpyHunterCombo Cleaner. Perform a full system scan to clean your system further. Then, try data recovery tools or programs and restore your files.

Puma ransomware

Puma ransomware is a decryptable virus. If you got infected, you can call yourself luckier than other victims because you have a chance to recover your encrypted files. However, only data having the .puma, .pumas, and .pumax appendixes can be unclocked by using a special decrypter (direct link provided) from virus experts. However, make sure you try this decrypter only after you remove malware from the system at first. Otherwise, the encryption procedure can be launched once again.

When inside the system, the virus drops !readme.txt ransom note to inform its victim about the current situation. Before that, malware launches the encryption procedure (for that it uses AES and RSA algorithm) to make all files installed on the system useless. The victim is given 72 hours to contact hackers. However, you should never do that to prevent further problems on your computer.

STOP ransomware decryptor
Tech experts have recently released an original STOP virus decryption key.

Shadow ransomware

At the beginning of December 2018, researchers discovered a variant that appends .shadow extension to the infected files. This file extension was firstly used by BTCWare ransomware virus back in 2017 and now seems like STOP malware authors adopted it as well.

Shadow ransomware virus is using a ransom note !readme.txt that explains how to proceed with the payment in Bitcoin. Crooks offer to decrypt one file for free, to prove that the decryptor is actually working. The contact emails helpshadow@india.com or helpshadow@firemail.cc should help with the communication. Allegedly, the 50% discount on the ransom price is valid within the first 72 hours of the infection.

As usual, we recommend avoiding any contact with threat actors. While this .shadow file virus is not decryptable at the time of the writing, you should wait till a free decryptor is released, just as it happened with Puma ransomware.

Djvu ransomware

The latest virus version is Djvu ransomware which has been appending several extensions: .djvu, .djvus, .djvuu, .udjvu, .uudjvu, .djvuq, .djvur. The virus has already affected thousands of users worldwide by using the most popular scheme used by ransomware to sneak into the target system – spam. Victims typically receive an email which is offering to know more about more about their parcel, invoice, report or delivery. However, downloading the attachment means letting the virus into the system.

Djvu ransomware is not decryptable, so the only way to recover encrypted data is to remove the virus first and then try third-party tools. Of course, if you have been backing your files before they got encrypted, you should find no worries. Just remove encrypted files from the system and install the good ones.

Crypto-virus might get into the system as soon as you open a malicious spam email

The executable of a file-encrypting virus typically spreads via malicious spam emails[4] that include attachments. With the help of social engineering, criminals trick victims into opening obfuscated attachment and letting malware into the system. You can spot a dangerous email from these signs:

  • You did not expect to get this email (e.g., you haven't ordered anything from Amazon, and you do not expect a FedEx courier to bring any parcel).
  • The letter lacks of credentials, such as company logo or signature.
  • The email is full of mistake or weirdly structured sentences.
  • The letter does not have a subject line, the body is empty and it includes only an attachment.
  • The content of the email urges to check the information in the attachment.
  • Sender's email address seems suspicious. 

STOP malware
STOP malware has been actovely spreading around with the help of spam.

However, specialists from NoVirus.uk[5] tell that malware can also sneak into the system when a user clicks on a malicious ad, downloads corrupted program or its update, and applying any other techniques.

For this reason, internet users should learn to identify potential risks that might be lurking on the web. We want to remind that no security software[6] can fully protect you from ransomware attack. For this reason, watching your clicks and downloads, as well as creating and regularly updating backups are a must!

Get rid of STOP ransomware to recover your files

First of all, we want to discourage you from removing ransomware manually. This cyber threat includes numerous files and components that might look like legitimate system processes. Therefore, you can easily delete wrong entries and cause more damage. For this reason, you have to opt for automatic STOP ransomware removal.

The virus might block access to security software which is needed for the removal, so you should disable the virus first by booting to Safe Mode with Networking. The instructions below will explain to you how it's done. It doesn't matter which version of malware affected your PC, the removal guide remains the same.

When in Safe Mode, download, install and update Reimage, Malwarebytes Malwarebytes or SpyHunterCombo Cleaner. Then, run a full system scan and wait until the program finishes cleaning the system and helps you remove STOP ransomware. Later you can plug in backups to recover your files or try alternative methods presented below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove STOP virus, follow these steps:

Remove STOP using Safe Mode with Networking

Follow these steps to reboot the computer to Safe Mode with Networking which allows disabling STOP ransomware:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove STOP

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete STOP removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove STOP using System Restore

This method can also help to get rid of the virus automatically:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of STOP. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that STOP removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove STOP from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by STOP, you can use several methods to restore them:

Try Data Recovery Pro

Originally, this tool is designed to recover files after system wreckage or deletion. However, it can be helpful after ransomware attack too.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by STOP ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

This method allows copying previously saved versions of files if System Restore was enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try out ShadowExplorer

ShadowExplorer can recover files from Shadow Volume Copies if STOP ransomware did not delete them.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

STOP ransomware decryptor has been discovered recently. You can find it here (direct download link)

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from STOP and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunterCombo Cleaner or Malwarebytes Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References

Removal guides in other languages


Your opinion regarding STOP ransomware