STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic

This topic is the primary support topic for assistance with STOP (DJVU) Ransomware. It includes an updated summary of this infection, it's variants and possible decryption solutions with instructions.
 
Any files that are encrypted with older STOP (DJVU) Ransomware variants will have the .STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad,, promorad2, .kroput, .kroput1, .charck, .pulsar1, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .forasom, .berost, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato. .masodas, .stare, .cetori or .carote extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov).

Any files that are encrypted with newer STOP (DJVU) Ransomware variants after August 2019 will have the .coharos, .shariz, .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk or .opqz extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov).  With the release of the .gero variant, the malware developers have been consistent on using 4-letter extensions since switching to the New STOP Djvu variants.
 
STOP Ransomware will leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt. The .djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt or _readme.txt

***IMPORTANT: @ ALL VICTIMS....

STOP Djvu Ransomware has two versions.
1. Old Version: Most older extensions, starting with .djvu (v013) up to .carote (v154)...decryption for most of these versions was previously supported by STOPDecrypter ONLY if infected with an OFFLINE KEY.  That same support has been incorporated into the new Emsisoft Decryptor/submission method for these old Djvu variants...the decrypter will only decrypt your files without submitting file pairs if you have an OFFLINE KEY.

2. New Version: The newest extensions released around the end of August 2019 AFTER the criminals made changes....this includes .coharos, .shariz, .gero, .hese, .xoza, .seto, peta, .moka, .meds, .kvag, .domm, .karl, .nesa, .boot, .etc. All of these new versions were never supported by STOPDecrypter.  However, OFFLINE KEYS for some newer variants have been obtained by Emsisoft and uploaded to their server. This is possible after a victim pays the ransom, receives a key from the criminals and shares that key with the Emsisoft Team..ONLINE KEYS are UNIQUE for each victim...scroll down to see the UPDATED LIST under the section ABOUT ONLINE & OFFLINE KEYS

As a result of the changes made by the criminals, STOPDecrypter is no longer supported...it has been discontinued AND replaced with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft and Demonslay335 (Michael Gillespie).

Going forward, EVERYONE should be using the Emsisoft Decryptor.

• Emsisoft STOP/Djvu Decryptor FAQs

STOP Ransomware Decryptor (released for 148 variants)  <- Be sure to READ the INSTRUCTIONS in this article

A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows you to decrypt files encrypted by 148 variants of the infection for free....anyone who was infected after August 2019 cannot be helped with this service. With that said, it may be possible to decrypt using an offline key, so even with these variants there may be some success.

WARNING NOTE: Please DO NOT use or share download links for decrypter_2.exe. This was the shoddy decrypter written by the criminals which victims were using as a LAST RESORT. With the release of Emsisoft's decryptor. there is no need for victims to use this use this decrypter any more...the Emsisoft decryptor does everything it can do and more safely. All the download links for decrypter_2.exe have been removed and if anyone posts a new download link, that too will be removed.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
USING EMSISOFT DECRYPTOR FOR STOP DJVU RANSOMWARE:

Emsisoft Decryptor for STOP Djvu <- official authorized download link

Emsisoft Decryptor for STOP Djvu alternate download

There are limitations on what files can be decrypted. For all versions of STOP Djvu, files can be successfully decrypted if they were encrypted by an offline key that we have. For Old Djvu, files can also be decrypted using encrypted/original file pairs submitted to the STOP Djvu Submission portal; this does not apply to New Djvu after August 2019.

• How to use the Emsisoft Decryptorfor STOP Djvu
• How to decrypt STOP Djvu Ransomware encrypted files

If you were infected after August 2019, then you are encrypted with a new version that the Emsisoft Decryptor for STOP Djvu does not support and these instructions do not apply. In order to decrypt any of these new versions an OFFLINE KEY with corresponding private key is required. If an OFFLINE KEY is obtained, it will be pushed to the server and automatically added to the decryptor. As such, you should instead download the decryptor to see if Emsisoft has been able to gain access to an OFFLINE kEY which can decrypt your files. The Emsisoft decryptor requires a working Internet connection so make sure you are connected before running it.

If you are infected with the .puma, .pumas, .pumax or .INFOWAIT, .DATAWAIT extensions of the earlier STOP Ransomware variants, you should download and use the Emsisoft Decryptor for STOP Puma.  These extensions can be decrypted by providing a single encrypted and original file pair over 150KB.

• How to use the Emsisoft Decryptorfor STOP Puma

Note: Dr.Web may be able to help with other earlier UPPERCASE variants as noted here  by Emmanuel_ADC-Soft.

Emsisoft STOP Djvu Decryption Service

In order to decrypt some of your files, we need some encrypted files and their originals.
Specifically, these file pairs need to meet the following requirements:

• Must be the same file before and after encryption[1]
• Must be a different file pair per file type you wish to decrypt[2]
• Must be at least 150KB

Notice: this service does not support the "New" variants that use RSA encryption.
If your files were encrypted after August 2019, chances are it is the "New" version

Again, the decryptor can only decrypt files with the same first 5 bytes as what you submitted and you have to supply a file pair for each format you want to decrypt.

A single file pair means an encrypted file and its exact unencrypted original. Everyone can always find clean unencrypted copy (same size) of an original file that was encrypted for a pair.

• Files you downloaded from the Internet that were encrypted and you can download again to get the original.
• Pictures that you shared with family and friends that they can just send back to you.
• Pictures you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc)
• Attachments in emails you sent or received and saved.
• Files on an older computer, flash drive, external drive, camera memory card or iphone where you transfered data to the infected computer.
• Default or sample wallpapers and pictures that were shipped with your Windows version which you can get from another system running the same Windows version.

For more information, please read the Frequent Questions at the bottom of STOP Djvu Decryption Service page.

+ What if my files are too big to upload?
+ What will you do with the files I upload?
+ What if my extension is not listed above?

.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
ABOUT ONLINE & OFFLINE IDS / KEYS:

Emsisoft Decryptor supports and will only attempt to decrypt files if they were encrypted by one of the known STOP (Djvu) OFFLINE KEY's and ONLINE ID's if a proper file pair is supplied to the submission form as explained here by GT500. For newer STOP (Djvu) variants, the criminals switched to a new cryptographically strong key protected by RSA. The encryption (Salsa20) is the exact same regardless of whether it is an ONLINE or OFFLINE KEY which encrypted your files. New STOP (Djvu) variants are impossible to decrypt without paying the criminals for that victim’s specific (unique) private key if infected by an ONLINE KEY or obtaining and sharing an OFFLINE KEY from victims who paid the ransom. A malware sample of any particular variant is useless for decryption since it only contains the public RSA key.

OFFLINE KEYS will work for ALL victims who were encrypted by the same key. However, ONLINE KEYS are random and specific to each victim, so they cannot be re-used by other victims. Although support for most of the OFFLINE ID's (and a few ONLINE KEYS) for older STOP (DJVU) versions was  added to the Emsisoft Decryptor, no ONLINE ID's are supported for the new STOP (Djvu) versions.

The OFFLINE KEY is a hard-coded built-in encryption key that is used if the malware failed to get an ONLINE KEY from it's command and control servers while you were online at the time the ransomware encrypted your files. Each variant extension only has one OFFLINE ID which generally ends in "t1" so they are usually easy to identify. Since the OFFLINE KEY and ID only change with each variant/extension, everyone who has had their files encrypted by the same variant will have the same ID and the files will be decryptable by the same key (or "private key" in the case of RSA encryption) as explained by GT500 in the Emsisoft STOP/Djvu Decryptor FAQs. Decryption is possible with the OFFLINE ID once the corresponding private OFFLINE KEY is obtained for a specific variant.

If there is no OFFLINE KEY available for any specific variant, then your files cannot be decrypted at this time.

• How to identify if infected with an OFFLINE or ONLINE KEY

If the malware is able to reach it's command server it will obtain and use a random ONLINE KEY (unique and specific to each victim). There is no way to decrypt files if infected with an ONLINE KEY without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible...the key is victim specific and generated in a secure way that cannot be brute-forced. We cannot help decrypt files encrypted with the ONLINE KEY since there is no way to gain access to the criminal's command server and retrieve this KEY.

Per the Emsisoft STOP/Djvu Decryptor FAQs:

New Variants....As for online ID's, due to the new form of encryption, there's currently nothing the decrypter can do to help recover files.
 
Will it ever be possible to decrypt new variants with online ID's? That depends on whether or not law enforcement is able to catch the criminals who are behind this ransomware. If law enforcement is able to catch them and release their database of keys, then we can add those to our database for decryption... The more reports law enforcement agencies receive, the more motivation they have to track down the criminals.

 

The decrypter can't decrypt my files? In most cases this means you have an online ID. It could also mean your files were encrypted by a newer variant of STOP/Djvu. See below for explanations.

If the malware is unable to communicate with it's command server, then the malware will give up and resort to a hard-coded OFFLINE KEY which may be decryptable. Some victims may have files encrypted by both an OFFLINE KEY and an ONLINE KEY due to the malware running multiple times and making repeated attempts to get an ONLINE KEY, sometimes successfully communicating with the server, sometimes failing and resorting to an OFFLINE KEY. In such scenarios the Emsisoft Decryptor will skip any files encrypted by the ONLINE KEY since they cannot be decrypted.

.
OTHER IMPORTANT INFORMATION:

- STOP (Djvu) Ransomware only encrypts the first 150 KB of files.
 

- All of the new STOP (Djvu) variants add 334 bytes to encrypted file size due to including the RSA-encrypted key, the ID and filemarker as explained here.
 

- Newer STOP (Djvu) Ransomware variants are known to cause dual (multiple) encryptions with more than one variant because he ransomware is loaded as a Scheduled Task and sets itself to run every 5 minutes.

- Newer STOP (Djvu) Ransomware variants and other ransomwares have been reported to spread by downloading & using  adware bundles, pirated software, activators for Office and Windows, cracks. and shady sites.

• Newer Djvu* variants are spread by downloading software cracks and adware bundles
• New Rumba STOP Ransomware Being Installed by Software Cracks
• 360 Discovered a New Ransomware Disguised as Windows Activator
• Be Careful of the KMSPico Activator It could be a Ransomware!
• Meet Stop Ransomware: Cracks, Adware bundles, and shady sites

- Newer STOP (Djvu) Ransomware variants are also installing Password Stealing Trojans.

In addition to encrypting a victim's files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more...Victims who have been infected with a STOP Ransomware variant should immediately change the passwords to any online accounts that are used, especially ones that are saved in the browser. Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.

It is imperative that you change all passwords for your computer to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one.

Hi
 
Just got a call from a customer with the above ransomware extention. Here is the ransomnote:
 
All your important files were encrypted on this PC.
All files with .SUSPENDED extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email suspendedfiles@bitmessage.ch send us an email your !!!RestoreProcess!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.

Your personal id:
5QDwX38ApBptxAvLONsohcyWyDsZhoeW15GuYzU5
 
E-mail address to contact us:
suspendedfiles@bitmessage.ch
Reserve email address to contact us:
suspendedfiles@india.com
 
Posting to help others find info on this.

I see your submission to ID Ransomware was not identified. I have only one other submission from Italy as well. May be something new, doesn't look familiar to me (then again all the ransom notes blur together anymore).

We will need the malware executable in order to properly identify and analyze it. I've put out a hunt on Twitter to see if anyone has spotted it.

Edited by Amigo-A, 22 February 2018 - 11:26 AM.

These are some common folder variable locations malicious executables and .dlls hide:

• %SystemDrive%\ (C:\)
• %SystemRoot%\ (C:\Windows, %WinDir%\)
• %UserProfile%\
• %UserProfile%\AppData\Roaming\
• %AppData%\
• %LocalAppData%\
• %ProgramData%\ / %AllUserProfile%\
• %Temp%\ / %AppData%\Local\Temp\

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware. 

 

Example of recommendation

https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/?p=4383151

I totally forgot to get a sample... I'm sorry.

Does that mean you are still going to try and submit a sample?

Amigo-A, thank you for identifying my .WAITING ransomware  as a new version of this one! I can still send you a copy of the ransom note through SendSpace, if you need it but it requires an email address.

Are you still in need of a sample of the program? In an unfortunate turn of events, I fried the hard drives on that PC while trying to connect them to another computer to pull the un-encryped data off. New PCBs are on the way, so when I get those disks back up, I will try to get you a sample. Will probably be in mid May sometime as the PCBs are going to take 20 days to get here. Hopefully, I can get them working again

Thanks again!

@ruthay

SendSpace does not require an email address. Just upload the file and share the link. Example instructions in the first post of this topic: https://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-exx-ezz-ecc-etc-decryption-support-requests/

@Demonslay335

Thanks, I missed that.

Link to note: https://www.sendspace.com/file/sykx4j

Edited by ruthay, 18 April 2018 - 12:37 PM.

Edited by Amigo-A, 19 April 2018 - 01:20 PM.

Hello.

A new version is in the world ... extension .CONTACTUS 

note: !!!RESTORE_FILES!!!

unfortunately, no sample found ... only encrypted files