The STOP ransomware family—also known by variant names including Qopz, Gash, Xaro, and Mitu—represents one of the most prolific file-encryption threats targeting Windows users today. This malware encrypts personal files using strong cryptography and demands payment in cryptocurrency for decryption keys. Since its emergence in late 2017, STOP has spawned hundreds of variants, each typically identified by the file extension it appends to encrypted files, making it a persistent threat to home users and small businesses alike.

STOP/Qopz/Gash/Xaro/Mitu Ransomware — cybersecurity illustration
Photo by Markus Spiske on Pexels

Unlike sophisticated nation-state malware, STOP variants spread through everyday infection vectors—pirated software, fake updates, malicious email attachments—making them a danger to anyone who downloads files from unfamiliar sources. The ransomware targets common file types including documents, photos, databases, and archives, often causing irreversible data loss for victims without proper backups.

If you believe your computer is infected right now: Immediately disconnect from the internet (unplug Ethernet or disable Wi-Fi) to prevent further file encryption and communication with command servers. Do not pay any ransom. Turn off the computer if files are actively being encrypted. Call us at (770) 637-1435 for emergency assistance—we can often stop the encryption process before all files are affected.

Threat Profile

Attribute Details
Malware Family STOP/Djvu Ransomware (variants Qopz, Gash, Xaro, Mitu, and 300+ others)
Classification File-encrypting ransomware, cryptolocker
Platform Windows (7, 8, 8.1, 10, 11) — all editions
First Discovered STOP family: December 2017; these variants: 2020–2023
Encryption Salsa20 + RSA-1024 hybrid; offline keys (reused) or unique online keys
File Extensions .qopz, .gash, .xaro, .mitu (variant-specific); original filename preserved with extension appended
Ransom Note _readme.txt or _readthis.txt dropped in affected folders and desktop
Ransom Demand $490–$980 USD in Bitcoin; "discount" for payment within 72 hours (typical for family)
Contact Methods Email addresses in ransom note (typically two addresses on ProtonMail or similar)
Distribution Software cracks, keygens, fake installers, malicious torrents, email attachments, exploit kits
Persistence Registry Run keys, scheduled tasks, startup folder entries (varies by variant)
Additional Payloads Frequently bundles Azorult, Vidar, or similar info-stealers; may download additional malware
Removal Difficulty Moderate (binary removal straightforward; file decryption difficult/impossible without keys)

How It Spreads

STOP ransomware variants primarily target users searching for free or pirated software. The threat actors behind this family have built an extensive distribution network leveraging software cracking communities, torrent sites, and fraudulent download portals. When users download what appears to be a license key generator for Adobe Photoshop, a cracked copy of Microsoft Office, or an "activator" for Windows, they're often executing the ransomware payload instead.

The infection chain typically begins with a seemingly innocent executable file, sometimes even digitally signed with a stolen or fraudulent certificate to bypass security warnings. Once launched, the malware may display a fake progress bar or error message to distract the user while encryption occurs in the background. In many cases, victims don't realize they've been infected until hours later when they attempt to open a document and discover it's been encrypted.

Common distribution methods include:

  • Pirated software bundles — Keygens, cracks, and patches for commercial software downloaded from torrent sites or file-sharing platforms
  • Fake software updates — Fraudulent browser update prompts or fake Flash Player installers on compromised websites
  • Malicious email attachments — ZIP or RAR archives containing executables disguised as invoices, shipping notifications, or tax documents
  • Trojanized installers — Legitimate-looking setup files for popular free software that have been repacked with malware
  • Malvertising campaigns — Malicious advertisements on legitimate sites that redirect to exploit kits or direct downloads
  • Drive-by downloads — Automatic downloads triggered by visiting compromised websites, particularly those exploiting outdated browser plugins
  • Remote Desktop Protocol (RDP) exploitation — Less common for STOP specifically, but observed in some deployment scenarios against poorly secured business systems

What It Does On Your Machine

Upon execution, STOP ransomware immediately begins reconnaissance to determine what files to encrypt and whether it's running in a virtual machine or analysis environment. The malware scans all accessible drives—including local hard drives, external USB drives, mapped network shares, and even cloud storage folders that are synchronized locally. It specifically targets user documents while avoiding system files necessary for Windows to boot, ensuring the victim can still access their computer to see the ransom demand.

The encryption process uses a two-stage cryptographic approach. Files are encrypted with the Salsa20 stream cipher using a randomly generated key, which itself is then encrypted with an RSA-1024 public key. Older STOP variants often used an "offline key" that was the same across many infections, allowing security researchers to create decryption tools. Newer variants like these use unique "online keys" generated on the attacker's server, making decryption without the private key mathematically infeasible. The ransomware appends a distinctive extension to each encrypted file—.qopz, .gash, .xaro, or .mitu depending on the specific variant—while preserving the original filename.

During encryption, STOP ransomware establishes persistence mechanisms to ensure it survives reboots and continues its operation if interrupted. It also frequently drops secondary payloads, particularly information-stealing trojans like Azorult or Vidar, which harvest browser passwords, cryptocurrency wallet files, and other sensitive data before the encryption even completes. This double-extortion approach means victims face both data loss and potential identity theft.

After encryption completes, the malware drops ransom notes named _readme.txt or _readthis.txt in every folder containing encrypted files, as well as on the desktop. These notes contain instructions for payment, typically demanding $490 if paid within 72 hours or $980 afterward, and provide email addresses for contacting the attackers. The notes often include a "personal ID" that identifies the victim's specific infection.

Typical STOP Ransomware Artifacts: Executable Location (varies): %TEMP%\.exe %LOCALAPPDATA%\\.exe %APPDATA%\\.exe Persistence Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ; Value name and executable path vary by sample Ransom Note: C:\Users\\Desktop\_readme.txt \_readme.txt Scheduled Task (some variants): schtasks /query /tn "Time Trigger Task" ; Task name varies; check Task Scheduler for suspicious entries Encrypted File Pattern: document.docx.qopz photo.jpg.gash spreadsheet.xlsx.xaro ; Original extension preserved, malware extension appended

Manual Removal — Step by Step

01

Disconnect From All Networks Immediately

Unplug the Ethernet cable or disable Wi-Fi to prevent the ransomware from encrypting files on network shares, communicating with command servers, or spreading to other computers. If this is a business network, notify your IT staff immediately before proceeding.

02

Boot Into Safe Mode With Networking

Restart the computer and press F8 repeatedly during boot (or Shift+Restart on Windows 10/11, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart > press 5 or F5). Safe Mode loads only essential drivers, preventing most malware from running while still allowing internet access for downloading tools.

03

Identify and Terminate the Malicious Process

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes, especially those with random character names running from %TEMP%, %LOCALAPPDATA%, or %APPDATA% folders. Right-click any suspicious process, select "Open file location," note the full path, then end the process. Do not delete files yet—you'll need the path information.

04

Remove Persistence Mechanisms

Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce. Look for entries pointing to executables in temporary folders or unfamiliar locations and delete them. Also open Task Scheduler (search "Task Scheduler" in Start menu) and examine scheduled tasks for suspicious entries—delete any that launch executables from unusual locations.

05

Delete the Malware Files

Navigate to the folder locations you identified in Step 3 and delete the executable files. STOP variants typically reside in %TEMP% or subfolders of %LOCALAPPDATA% or %APPDATA%. Show hidden files first (File Explorer > View > Options > View tab > Show hidden files, folders, and drives). Delete the entire containing folder if it was created by the malware.

06

Run Comprehensive Anti-Malware Scans

Download and install Malwarebytes Free (from malwarebytes.com while still in Safe Mode with Networking) and run a full system scan. STOP ransomware frequently bundles information-stealing trojans that remain active even after the encryption payload stops, so thorough scanning is essential. Follow up with a scan from a second tool like HitmanPro or Emsisoft Emergency Kit to catch any remnants.

07

Check for File Recovery Options

Older STOP variants using offline keys can sometimes be decrypted with free tools from Emsisoft (search for "Emsisoft STOP Djvu decryptor"). However, newer variants like those using .qopz, .gash, .xaro, or .mitu extensions typically use online keys, making free decryption impossible. Try Windows Previous Versions (right-click encrypted files > Properties > Previous Versions) or Shadow Explorer to recover from Volume Shadow Copies if they weren't deleted by the ransomware.

08

Reset Browser Settings

STOP infections often come bundled with browser hijackers or adware. Open your browser settings and reset to defaults: Chrome (Settings > Advanced > Reset settings), Firefox (Help > More troubleshooting information > Refresh Firefox), Edge (Settings > Reset settings). Remove any unfamiliar extensions before resetting.

09

Change All Important Passwords

Since STOP ransomware frequently installs information-stealing companions, assume your saved passwords and sensitive data have been compromised. From a known-clean device, change passwords for email, banking, social media, and any other important accounts. Enable two-factor authentication wherever possible.

10

Reboot Normally and Verify

Restart the computer in normal mode and monitor for several hours. Check that no new files are being encrypted, no suspicious processes appear in Task Manager, and system performance is normal. Run another quick scan with your anti-malware tool to confirm the infection is gone. If you notice any unusual behavior, the infection may not be fully removed.

Prevention

  1. Never download pirated software or cracks. The overwhelming majority of STOP infections originate from "free" versions of paid software. Legitimate free alternatives exist for almost every commercial application—use those instead.
  2. Maintain offline backups of critical data. Use the 3-2-1 rule: three copies of important files, on two different media types, with one copy stored offline (external drive disconnected after backing up, or cloud backup service). Ransomware can only encrypt files it can access.
  3. Keep Windows and all software fully updated. Enable automatic updates for Windows, your browser, and applications like Adobe Reader and Java. Outdated software provides entry points for exploit kits that deliver ransomware without requiring user interaction.
  4. Use reputable antivirus software with real-time protection. Windows Defender (built into Windows 10/11) provides good baseline protection if kept updated. Consider adding Malwarebytes Premium for an additional behavioral-detection layer against ransomware.
  5. Exercise caution with email attachments. Never open attachments from unknown senders, and be skeptical of unexpected attachments even from known contacts (their account may be compromised). Be especially wary of ZIP files containing executables.
  6. Enable "Show file extensions" in Windows. Ransomware often disguises executables with double extensions like "invoice.pdf.exe"—you can only spot this if Windows shows the actual .exe extension. In File Explorer, go to View > Options > View tab and uncheck "Hide extensions for known file types."
  7. Disable macros in Office documents by default. Configure Microsoft Office to disable all macros from untrusted sources and require notification before enabling them. Many malware campaigns use macro-enabled documents as initial infection vectors.
  8. Use a standard user account for daily activities. Run Windows with a non-administrator account for routine work. Malware run from a standard account has more limited ability to make system-wide changes, though file-encrypting ransomware can still damage user documents.
Our 90-Day Warranty: When Computer Repair Roswell removes ransomware from your system, we guarantee our work for 90 days. If the same infection returns within that period, we'll re-clean your computer at no additional charge. We also provide guidance on data recovery options and help you implement backup solutions to prevent future data loss.

Bring It In

Ransomware removal requires more than just deleting the malicious executable. The bundled information-stealers, the potential for incomplete removal, and the complexity of exploring data recovery options make professional assistance valuable for most users. Our technicians have experience with STOP ransomware variants and maintain updated tools for both malware removal and, where possible, file recovery. We can also check whether your specific variant uses an offline key that might be decryptable, potentially saving your files without paying criminals.

If you're dealing with encrypted files and wondering whether to pay the ransom (we strongly advise against it—there's no guarantee of recovery, and payment funds criminal enterprises), bring your computer to our Roswell shop for a free diagnostic. We're located in Roswell, Georgia, and you can reach us at (770) 637-1435. We'll assess the infection, check for recovery options through shadow copies or available decryptors, and discuss backup strategies to protect you going forward. Don't let ransomware hold your data hostage—let's explore every legitimate option first.