STOP Ransomware vaccine released to block encryption

Image: Ivan Diaz

German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims' files after infection.

"This tool does not prevent the infection itself. STOP ransomware will still place ransom notes and may change settings on the systems," G DATA malware analysts Karsten Hahn and John Parol explained.

"But STOP ransomware will not encrypt files anymore if the system has the vaccine. Instead of a personal ID, the ransom notes will contain a string that files were protected by the vaccine."

You can download the STOP Ransomware vaccine here, as a compiled .EXE or Python script.

This vaccine may cause your security software to believe your system is infected since it works by adding files the malware usually deploys on infected systems to trick the ransomware the device was already compromised.

While a decryptor was also released for STOP Ransomware in October 2019 by Emsisoft and Michael Gillespie to decrypt files encrypted by 148 variants for free, it no longer works with newer variants. Hence, G DATA's vaccine is your best bet if you want protection against this ransomware strain.

However, since threat actors commonly bypass vaccines after they are released, this vaccine may stop working for future versions of this ransomware.

Therefore, after applying the vaccine, you should ensure that your important files are also backed up!

STOP Ransomware — the most active ransomware nobody talks about

While other ransomware strains get the most media attention, STOP ransomware has constantly been behind the most significant slice of ID Ransomware submissions and support requests on BleepingComputer's forums in recent years.

Out of thousands of ID Ransomware submissions per day during high ransomware activity, anywhere between 60 and 70 % are STOP ransomware submissions.

This is because this ransomware mainly targets home users through shady sites and adware bundles that push malicious software cracks or adware bundles disguised as free programs.

The latter usually install a wide range of unwanted software onto a user's computer, and, more often than not, one of the programs installed is malware such as STOP Ransomware.

Cracks reported to have been used in STOP Ransomware delivery include KMSPico, Cubase, Photoshop, and antivirus software.

Besides using this deployment method, STOP is just your ordinary ransomware, which encrypts files, appends an extension, and drops a note asking for a ransom ranging from $500 to $1000. 

However, what makes it so successful is the massive amount of variants constantly being released to avoid detection.