Severity scale:  
  (99/100)

STOP ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

STOP ransomware is a dangerous a crypto-malware that has been prevalent since December 2017

Ransom note by STOP ransomware
STOP ransomware is asking $600 ransom to recover encrypted files.

Questions about STOP ransomware

STOP ransomware is a file locking virus that started to attack unsuspecting users in December 2017. The malware uses a combination of AES and RSA to encrypt data and adds .STOP extension. The malicious software was updated several times since its release, and new variants appended .SUSPENDED, .CONTACTUS, .DATASTOP, .WHY and other file extensions. The virus recently made headlines when it targeted victims from over 20 countries using Keypass ransomware.  The newest version of this cyber threat is asking for $500 in Bitcoin for file encrypted and marked with .SAVEfiles appendix recovery. And demands the payment in new ransom note called !!!SAVE_FILES_INFO!!!.txt. You can also find a new contact email savefiles@india.com but you shouldn't pay or contact these hackers no matter how important your files are or how small the demanded ransom is.

Summary of the cyber threat
Name STOP ransomware
Type Cryptovirus
Encryption algorithm AES and RSA-1024
Appended file extensions .STOP, .SUSPENDED , .WAITING, .CONTACTUS, .DATASTOP, .PAUSA, .KEYPASS, .WHY, .SAVEfiles
Ransom notes

!!! YourDataRestore !!! txt,
!!RestoreProcess!!!.txt,
!!!!RESTORE_FILES!!!.txt,
!!!DATA_RESTORE!!!.txt
!!!DECRYPTION__KEYPASS__INFO!!!.txt
!!!WHY_MY_FILES_NOT_OPEN!!!.txt

!!!SAVE_FILES_INFO!!!.txt

The size of the ransom $300 – $600
Contact email addresses

stopfilesrestore@bitmessage.ch,
topfilesrestore@india.com,
suspendedfiles@bitmessage.ch, 
suspendedfiles@india.com,
decryption@bitmessage.ch
BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch
keypassdecrypt@india.com
decryptionwhy@india.com

savefiles@india.com

Distribution methods Malicious spam emails, hacked websites, etc.
To uninstall XXX, install Reimage and run a full system scan

STOP ransomware was initially discovered in December 2017. However, new variants appeared in August 2018 and some previous months. All of them behave similarly but appends new file extensions to the targeted data, provides slightly different ransom notes and use new contact email addresses.

The original version of malware[1] adds .STOP file extension to make files inaccessible on the affected Windows computer. As soon as STOP ransomware finishes the encryption procedure, the virus delivers a ransom note in “!!! YourDataRestore !!! txt” file. The message of the crooks tells that victims have to pay the ransom in 72 hours.

Authors of STOP virus demand to pay $600 in three days time. In order to give proof, hackers allow sending 1-3 “not very big” files for free test decryption to stopfilesrestore@bitmessage.ch or stopfilesrestore@india.com. However, these might be the only files you manage to get after the ransomware attack. Once you pay the ransom, crooks might disappear because they get what they wanted from you.

STOP ransomware encrypted files
STOP ransomware is spreading around with four different extensions: .STOP, .SUSPENDED, .CONTACTUS, .DATASTOP.

Therefore, we highly recommend forgetting about data recovery at the moment. The most important task is to remove STOP ransomware from the computer in order to make the system safe. For this reason, we suggest scanning the affected machine with anti-malware software like Reimage to remove STOP ransomware virus. 

It's crucial to use professional security tools because this cyber threat might alter Windows Registry, create new keys, install malicious files or affect legitimate system processes. It means that manual termination is nearly impossible. If you try to located and delete these entries yourself, you might cause damage to your machine. Hence, do not risk!

Once you take care of STOP ransomware removal, you can safely plug in external storage drive with backups or export needed files from cloud storage. If you haven't backed up your files yet and cannot perform full data recovery, you should try third-party tools that we mentioned at the end of the article. Hopefully, some of the files will be rescued.

New variants of ransomware appeared in 2018

At the beginning of the year, in February, malware researchers reported about STOP malware variant that uses .SUSPENDED file extension to lock documents, multimedia, databases, archives, and many other files. The behavior of ransomware is similar to the previous version, but it downloads a different ransom note after file encryption.

Suspended ransomware provide recovery instructions in ”!!RestoreProcess!!!.txt file and ask to send unique victim's ID and preferred sample files for the decryption to suspendedfiles@bitmessage.ch or suspendedfiles@india.com email addresses. The size of the ransom and deadline remain the same.

STOP Suspended ransomware version
STOP ransomware came back with another version - Suspended ransomware.

At the end of May, another variant of STOP ransomware virus hit the surface. The latest version uses .CONTACTUS file extension to lock targeted files. Not only the appended suffix was changed. Crooks also renamed data recovery instructions, and now inform about the cyber attack and recovery options in !!!RESTORE_FILES!!!.txt. The contact email addresses were changed too: decryption@bitmessage.ch and decryption@india.com:

All your important files were encrypted on this PC.
All files with .CONTACTUS extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.

To decrypt your files, you need to obtain private key + decrypt software.

To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.

Your personal id:
[redacted 40 characters]

E-mail address to contact us:
decryption@bitmessage.ch

Reserve e-mail address to contact us:
decryption@india.com

Unfortunately, malware researchers haven't created a free decryptor yet. Hence, proceeding with hackers' instructions might seem like the only option right not. However, we want to stress out that this is a very risky task which may lead to a huge money loss. Once you pay those $600, you might be asked to pay for more. If you disagree or be left without promised decryption option, no one will help you to trace the criminals and get your money.

We understand that you value your files a lot, but we want to discourage you from taking this action. You should get rid of STOP virus and try to restore data alternatively. Finally, the cyber attack might become a hard lesson why cyber security and backing up is a very important topic.

Another STOP ransomware version merged in September 2018. Executing urpress.exe file this ransomware encrypts your data and marks locked files with .SAVEfiles appendix. As other versions, this threat does this with AES and RSA encryption methods. After the file modification ransomware places a ransom note called !!!SAVE_FILES_INFO!!!.txt on every file that contains encrypted data.

Virus developers claim they have the tool for file recovery and decryption and encourage people to contact them via savefiles@india.com email. You shouldn't do that because criminals are not worthy of your trust. You better follow your provided guide and clean your system. Then, try data recovery tools or programs and restore your files.

The ransom note contains the following text:

WARNING!
Your files, photos, documents, databases and other important files are encrypted and have the extension: .SAVEfiles
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $500.
This price avaliable if you contact us first 72 hours.

E-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch

Reserve e-mail address to contact us:
savefiles@india.com

Your personal id:

This version can be spread by various malware and other cyber infections. This is why multiple files related to the ransomware can be detected by antivirus and anti-malware tools. You should remove STOP ransomware using programs like Reimage or Malwarebytes. Perform a full system scan to clean your system further. 

Various threat names which can be associated with STOP ransomware:

  • TR/Kryptik.buifz
  • Win32:Trojan-gen
  • Trojan/Win32.Scar
  • malicious.78b1b6
  • Gen:Heur.Ransom.RTH.1
  • Trojan.Win32.Krypt
  • Ransom.Chaicha
  • Trojan.Gen.2

Crypto-virus might get into the system as soon as you open a malicious spam email

The executable of a file-encrypting virus typically spreads via malicious spam emails[2] that include attachments. With the help of social engineering, criminals trick victims into opening obfuscated attachment and letting malware into the system. You can spot a dangerous email from these signs:

  • You did not expect to get this email (e.g., you haven't ordered anything from Amazon, and you do not expect a FedEx courier to bring any parcel).
  • The letter lacks of credentials, such as company logo or signature.
  • The email is full of mistake or weirdly structured sentences.
  • The letter does not have a subject line, the body is empty and it includes only an attachment.
  • The content of the email urges to check the information in the attachment.
  • Sender's email address seems suspicious. 

STOP ransomware spreads via emails
STOP malware has been actovely spreading around with the help of spam.

However, specialists from NoVirus.uk[3] tell that malware can also sneak into the system when a user clicks on a malicious ad, downloads corrupted program or its update, and applying any other techniques.

For this reason, internet users should learn to identify potential risks that might be lurking on the web. We want to remind that any security software can fully protect you from ransomware attack. For this reason, watching your clicks and downloads, as well as creating and regularly updating backups are a must!

Get rid of STOP ransomware to recover your files

First of all, we want to discourage you from removing ransomware manually. This cyber threat includes numerous files and components that might look like legitimate system processes. Therefore, you can easily delete wrong entries and cause more damage. For this reason, you have to opt for automatic STOP ransomware removal.

The virus might block access to security software which is needed for the removal, so you should disable the virus first by booting to Safe Mode with Networking. The instructions below will explain to you how it's done. It doesn't matter which version of malware affected your PC, the removal guide remains the same.

When in Safe Mode, download, install and update Reimage, Plumbytes Anti-MalwareNorton Internet Security or Malwarebytes. Then, run a full system scan and wait until the program finishes cleaning the system and helps you remove STOP ransomware. Later you can plug in backups to recover your files or try alternative methods presented below.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Malwarebytes
Alternate Software
Malwarebytes

To remove STOP virus, follow these steps:

Remove STOP using Safe Mode with Networking

Follow these steps to reboot the computer to Safe Mode with Networking which allows disabling STOP ransomware:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove STOP

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete STOP removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove STOP using System Restore

This method can also help to get rid of the virus automatically:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of STOP. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that STOP removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove STOP from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by STOP, you can use several methods to restore them:

Try Data Recovery Pro

Originally, this tool is designed to recover files after system wreckage or deletion. However, it can be helpful after ransomware attack too.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by STOP ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

This method allows copying previously saved versions of files if System Restore was enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try out ShadowExplorer

ShadowExplorer can recover files from Shadow Volume Copies if STOP ransomware did not delete them.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References