STOP ransomware, a crypto-ransomware variant that uses the .rumba file extension on encrypted files, is being delivered via software cracks.
Software cracking programs that generate licenses for popular software programs are commonly used to deliver malware. The executable files often install spyware and adware code during the cracking process and while it is not unknown for other malware to be installed when the programs are run, it is relatively rare for ransomware to be installed.
However, one provider of cracks has added STOP ransomware to several software cracking programs that generate license codes for Windows, Cubase, Photoshop, KMSPico, and antivirus software. The malicious cracks are being distributed across multiple sites.
The ID Ransomware service has received 304 submissions of new STOP ransomware infections in January 2019, although there are likely to be many more victims.
STOP Ransomware was first identified in December 2017 and is regularly updated. A new version of the ransomware is released virtually every month, each with a new file extension. The latest variant uses the .rumba extension, others include .puma, .pumax, .shadow, .keypass, .tro, and .djvu.
The ransom demands are variable but are usually in the range of $300-$600 per infected device. Many different methods are used to distribute the ransomware. In addition to cracks, infections have occurred as a result of brute force attacks, drive-by downloads from compromised websites, exploits of unpatched vulnerabilities, and spam emails.
While no free decryptor is available that can guarantee recovery without paying the ransom, Michael Gillespie has developed a decryptor that can be used free of charge that may allow victims to recover their files. Details can be found in this post.