STOP ransomware is using adware installers disguised as cracks as a new method of distributing itself to unsuspecting users. According to Bleeping Computer creator and owner Lawrence Abrams, websites known for distributing software cracks, or software which has been modified to remove or disable certain features, commonly use adware bundles to generate revenue. These bundles generally push out unwanted programs and cryptocurrency miners, he notes. It's less common for them to include ransomware. Even so, Abrams explains in a blog post that STOP ransomware has used this exact means of distribution to become one of the most prolific families he's seen in some time:
Some of the reported cracks that are installing this ransomware include Windows activation cracks such as KMSPico, Cubase, Photoshop, antivirus software, and cracks for many other popular copyrighted software. From reports by infected users, it does not appear to be one particular crack site that is affected, but many different ones who are pushing similar adware bundles.
The ransomware has gone through several file name extensions throughout its existence so far. It began with .djvu before moving on to .tro and finally arriving at the current .rumba variant. That being said, Abrams hasn't found much in how the most recent version differs in its behavior compared to the .djvu variant. As before with its previous iterations, the .rumba form places a ransom note named "_openme.txt" containing payment instructions into each folder on the infected machine where it's encrypted a file.
A screenshot of the ransom note. (Source: Bleeping Computer) Fortunately, victims of STOP ransomware might have some hope of recovering their files. They can click here to look into using a decryptor created by Michael Gillespie. Alternatively, they can post their network card's MAC address, a link to two encrypted files and their personal ID from the ransom note into Bleeping Computer's dedicated STOP Ransomware Support & Help topic, where someone will try to help them. Users should also make sure they've taken steps to prevent a ransomware infection in the first place. Expert tips in this regard can be found here.
