The STOP ransomware got a wide distribution over the last month using a method of disguising cracks as adware installers. Because of the popularity of adware installers and software cracks, STOP became one of the fastest spreading ransomware in a while. The new version of the ransomware released a few days ago appends rumba extension to the names of all your encrypted files. Previous variants used djvu and tro extenstions, but the Rumba version is the most distributed one.
Usually, user gets the infection when downloading software bundles or cracks from the sites that use adware bundles to generate revenue for themselves. This bundles usually contain a big variety of potentially unwanted programs (PUPs), miners and ad software, but lately a few bundles started including STOP ransomware with the other things.
According to reports, the cracks, containing STOP Ransom, are popular copyrighted software, Windows activation cracks and various antivirus programs. There doesn’t seem to be one particular source of ransomware distribution, but a lot of crack sites distributing the same adware bundles are affected.
The latest version of STOP encrypts the files, appending the rumba extension to their names, while creating a ransom note in the every folder it encrypted. This note contains the instructions on contacting the hacker and the payment instructions.
In some cases, it is possible to recover your files for free using STOPDecrypter software by Michael Gillespie. The latest version of the STOPDecrypter supports various extensions (.djvu, .djvuq, .djvur, .djvut, .djvuu, .pdff, .tfude, .tfudeq, .tro, .udjvu, .tfudet).