.STOPDATA Ransomware Virus - How to Remove It and Restore Files

.STOPDATA Ransomware Virus – How to Remove It and Restore Files

This article has been created with the purpose to help explain to you what is the new version of STOP ransomware and how to remove it plus how to try and restore .STOPDATA files, encrypted by it on your PC.

A new variant of the STOP Ransomware virus, released back in January 2018, has been detected by security researchers to append the .STOPDATA file extension to the files, encrypted by it and then ask from victims to pay a hefty ransom fee in order to get the encrypted files recovered back to their normal working state. In the events that your computer has been affected by the .STOPDATA ransomware virus, we recommend that you read this article thoroughly so that you can understand more about it plus learn how you can remove it from your computer and how you can try and restore as many files as possible without having to pay ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with the help of the AES and RSA encryption algorithms. All locked files will have the .STOPDATA extension appended to them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .STOPDATA Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .STOPDATA Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.STOPDATA Virus – Methods of Distribution

In order to be spread onto the computers of victims, the .STOPDATA files virus may be spread via various different types of methods. The ransomware has a payload which is dropped by an intermediary malware known as dropper. This dropper may be spread via different ways, the main ones of which are believed to be via e-mail messages that are sent directly to the victim. These e-mails often have malicious e-mail attachments embedded by them and those attachments have the main goal initiating the infection dropper. The e-mails often have convincing messages embedded in them and they often pretend to be legitimate Windows companies, such as:

  • PayPal.
  • DHL.
  • FedEx.
  • Image files
  • Amazon.
  • eBay.

In addition to being sent to victims, the malicious file, infecting computers with the .STOPDATA virus may also be sent to victims via a drive-by download web link on social media sites or even uploaded on websites, while posing as seemingly legitimate programs, from the likes of:

  • Setups of software.
  • Cracks.
  • Keygens.
  • Patches.
  • Fixes.
  • Portable programs.

.STOPDATA Ransomware – Further Information

The .STOPDATA ransomware virus may perform a wide variety of activities on the computer infected by it once it has dropped it’s payload. The payload of the .STOPDATA ransomware may consist of different types of files, each having it’s own set of activities to be done. The payload files may exist in the following Windows directories:

  • %AppData%.
  • %Local%.
  • %Temp%.
  • %LocalLow%.
  • %Roaming%.
  • %SystemDrive%.
  • %Windows%.
  • %Documents%.

Once the malicious files of the .STOPDATA ransomware are dropped on the computer of the victim, the virus may begin it’s activity. Similar to it’s predecessor, the ransomware may drop it’s ransom note on the victim’s computer. The ransom note file has the following message to victims:

“All your important files were encrypted on this PC.
All files with .STOPDATA extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email [email protected] send us an email your !!!RESTORE_DATA!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $200 if you contact us first 72 hours.
Your personal id:
E-mail address to contact us:
[email protected]

In addition to this, the .STOPDATA virus may create mutants as well as create scheduled tasks to run each time you start Windows. The virus may also collect information from your computer, such as:

  • Computer name.
  • Programs, installed on your PC.
  • Network and system information.

The .STOPDATA files virus may then attack the shadow volume copies of the compromised PC in order to delete the files on your PC, that have been backed up by Windows. This happens by executing a malicious .bat file that runs Windows Commands as administrator. The commands which are executed by the .STOPDATA virus are believed to be the following:

sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.STOPDATA Virus – Encryption

Before encrypting the files on your computer, the .STOPDATA files ransomware may start to scan for the important file types that are used on a regular basis. These types of files often are:

  • Music and other audio file types.
  • Videos and all video file formats.
  • Document file types.
  • Image file types.
  • Databases and backup file extensions.
  • Signatures, virtual drives and other specific files.

After the .STOPDATA virus has detected those virus, the malware may use the RSA-1024 encryption algorithm in order to encrypt them. The encryption is performed in a way that the original files are deleted and their encrypted copies exist in a non-openable state and they appear like the following:

Remove STOP Ransomware and Restore .STOPDATA Files

In case your PC has been infected by the .STOPDATA virus, we advise that you read the removal instructions underneath this article. They have been created so that they enable you to remove this malware either manually or automatically from your computer. If manual removal does not seem to help, be advised that security experts recommend to remove the .STOPDATA ransomware automatically from your computer, preferably by downloading an advanced anti-malware software. It’s primary purpose is to scan your computer for various malicious files and then remove those files and objects in a safe manner plus make sure that your computer remains protected against future infections as well.

If you want to restore files, encrypted by the .STOPDATA variant of STOP ransomware, you can try and recover as many files as you can, preferably by trying out the file recovery methods underneath this article in step “2. Restore files, encrypted by .STOPDATA Virus”. They have been created to help you restore as many .STOPDATA files back to their normal state, but be advised that they are not a direct and complete solution and for such solution to take place, an official decryptor for this ransomware has to be released by the cyber-criminals or the malware researchers who are behind the .STOPDATA virus.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share