STOP Ransomware Delivered through Software Cracks

January 24, 2019


STOP ransomware, a crypto-ransomware variation that uses the .rumba file extension on encrypted files, is being delivered through software cracks.

Software cracking programs that produce licenses for popular software programs are normally used to deliver malware. The executable files frequently install spyware and adware code during the cracking procedure and while it is not unknown for other malware to be installed when the programs are run, it is comparatively rare for ransomware to be installed.

However, one supplier of cracks has added STOP ransomware to numerous software cracking programs that produce license codes for Windows, Cubase, Photoshop, KMSPico, and antivirus software. The malevolent cracks are being distributed across several sites.

The ID Ransomware service has received 304 submissions of latest STOP ransomware infections in January 2019, even though there are likely to be many more sufferers.

STOP Ransomware was first identified in December 2017 and is regularly updated. A new variety of the ransomware is released nearly every month, each with a new file extension. The latest variation uses the .rumba extension, others include .puma, .pumax, .shadow, .keypass, .tro, and .djvu.

The ransom demands are variable but are typically in the range of $300-$600 per infected device. Many different techniques are used to spread the ransomware. In addition to cracks, infections have occurred as a consequence of brute force attacks, drive-by downloads from compromised websites, exploits of unpatched vulnerabilities, and junk emails.

Although no free decryptor is available that can assure recovery without paying the ransom, Michael Gillespie has developed a decryptor that can be used free of charge that may allow sufferers to recover their files. Details can be found in this post.