Researchers at New Zealand-based cybersecurity firm Emsisoft have released a free decryptor for STOP ransomware. STOP ransomware is primarily used to attack consumers rather than businesses and is usually delivered via cracked software and adware bundles distributed on websites that offer cracks for legitimate software applications such as Photoshop.
The threat actors behind the campaign are highly active. In fact, STOP ransomware is the most highly distributed ransomware variant and accounts for between 60% and 70% of new ransomware infections; however, since the attacks are mostly on consumers rather than businesses, they tend not to be reported so the ransomware has largely flown under the radar. The attacks are also mostly concentrated in Europe, South and South East Asia, South and Central America, and Africa, with relatively few in North America.
A decryptor has previously been released for STOP ransomware by ransomware researcher Michael Gillespie, but it only works on offline decryption keys. When the ransomware is unable to communicate with its C2, offline keys are used to encrypt files. If communication with the C2 is possible, which is the case with most infections, unique keys are generated. In such cases, the free decryptor does not work.
The latest free decryptor for STOP ransomware was created by Emsisoft and Michael Gillespie and works on 148 of the 159 known variants of STOP ransomware – Variants developed prior to August 2019. The decryptor does not work on attacks after that date as RSA encryption is now used, although it may still be possible to recover files for free if offline keys have been used.
In order to use Emsisoft’s free decryptor, copies of encrypted files and the original files must be supplied. The files must be larger than 150kb, and a different pair is required for all file types that need to be decrypted. Since each different file type must be checked separately to download the decryptor, recovery may take some time, but it will mean the ransom payment does not need to be paid.
The free decryptor is available from Emsisoft on this link.
Always Check for Free Ransomware Decryptors
Before making a decision about whether to pay a ransom or recover files from backups, it is important to identify the ransomware variant involved and check whether a free decryptor is available that could allow you to recover your files quickly and relatively painlessly.
Free decryptors are available for many ransomware variants through the NoMoreRansom project and from certain security vendors, especially Emsisoft.