Decrypting The Files Locked By Stop, A Highly Active Ransomware

Emsisoft, a New Zealand based security company has successfully built decryption tools for a family of ransomware including Djvu and Puma known by the name, Stop. Emsisoft owns up to help victims recover some files. Stop is found to be the most active ransomware accounting for more than half of all infections according to ID-Ransomware, a free site helping identify infections. But Emsisoft identifies far higher figures of infection.

If ransomware is unknown to you, you are really lucky. It is the most common way adopted by criminals to make money by infecting computers with malware that locks files using encryption. Once infected, the ransomware renames user’s files with one among these extensions , replacing .jpg and .png files with .radman, .djvu and .puma. The file can be unlocked in exchange for a ransom demand in a few hundred dollars in cryptocurrency,

Ransomware can be compromised due to vulnerabilities in the code which helps security experts unlock some victims’ files without paying up. In some cases, it is possible to reverse the encryption and return the files to normal. 

Researchers at Emsisoft have successfully cracked the ransomware which is the latest of its kind. According to Emsisoft, the victim count is around 1116,000 that is just about one-quarter of the total number of victims. Michael Gillespie, the main developer, and researcher adds that” it is a complicated decryption tool more than what would be available normally for such complicated ransomware.” 

The modus operandi of Stop is encrypting user files with either an online key from the attacker’s server or an offline key that encrypts the files as it can’t communicate with the server. As Gillespie finds, victims are infected with offline keys as the attackers' web infrastructure was down or inaccessible to the infected computer.

How the tool works

The victim of the infection is given a master key, says Gillespie and the ransomware encrypts it by combining the first five bytes of each file with the master key. The .png files share the same five bytes for every .png file. All .png files can be decrypted by just comparing an original file with encrypted files and applying some mathematical computations.

In the case of some file types, they share the same initial five bytes and Microsoft Office documents with .docx and .pptx extensions share the same five bytes as .zip files. So any of these file types can decrypt the others with before or after files. Though this tool cannot be counted on as a cure-all for infected computers, the victims have to find a good before and after of the filetypes to be recovered.

After cleaning up the ransomware the users should check for any files that were backed up. It could be default Windows wallpaper, or finding the original file sent through the mail and matching it with the new encrypted file.

On uploading the before and after pair of files to the submission portal, the server matches and figures out if the files are compatible and spit back the extensions that can be decrypted.

Pitfalls do exist in this system.

“ Unless encrypted with the offline key, nothing much can be done for the infections after the end of August 2019,” he said. Victims are unlucky if an online key from the attackers' server is pulled out. Also, the file size has to be above 150 kilobytes, or else the decryption tools won’t work as the ransomware encrypts files of that size. As each file extension handles the first five bytes of the file differently, certain file extensions will be difficult if not impossible to recover.

Gillespie has been manually processing decryption keys for victims with encrypted files using an offline key. His rudimentary decryption tool named STOPDecrypter has successfully decrypted some files. Keeping the tool updated was quite a task for him. The attackers pushed more encrypted files, as he found a workaround each time to outwit him.

He has received thousands of messages from people with their systems encrypted by Stop ransomware since the tool was launched. He keeps the victims updated with his findings and updates of his decryption tool. He has also faced the brunt of desperate victims to get their files decrypted. He is making arrangements for the tool to be fed into Europol’s No More Ransom Project keeping future victims notified about a decryption tool readily available. The future seems to be promising for the decryption tool and Gillespie.