International Police Association / Sopa/ PIPA Ransomware easily decrypted

A new ransomware, which is actually a variant of CryptoTorLocker2015, has been reported that claims it's from the International Police Association - IAC and "fines" you $100 Euros in order to get your files back. When infected, this ransomware will scan your computer, encrypt your data, and appends a 6 digit extension to any encrypted file. It will then display a message box ransom note that states you need to visit a certain site to may a payment. The current known payment sites are str.fulba.com and utrozen.pixub.com, which opens an iframe to fulba.com.

The ransom note states:

Warning! Your have a computer found pirated content! All your files encrypted! To decrypt files you need visit the site http://str.fulba.com and follow the instructions posted on it. If the site is for some reason unavailable refer to the stoppirates@yahoo.com. Your id 123456.

You can enter a password 5 times. Above this limit, all files will be deleted! Independent attempts to decrypt the data can to lead to their loss.

It wil then display a password prompt as shown below.

The ransom payment sites are regionally localized to show you the ransom instructions in your language. It determines this based on the IP address of the visitor. An example of the US ransom payment site is below.

Finally, this ransomware will change your Windows wallpaper to a fake message that states:

CONTENT Blocked by SOPA PIPA under authority granted by H.R. 3261 & S.968

With that said, for those who are infected with this Sopa/Pipa/International Police Association/Crap ransomware, you can easily decrypt your files by downloading and running Nathan Scott's decrypter. It should be noted that some anti-virus programs are detecting this infection based on its file modification abilities used by the decrypter, some AV programs may detect it as malicious. This is a false positive, but if you are concerned about the safety of the decryption tool, you can always copy your encrypted data to a virtual machine and run the decrypter from there.

The decrypter can be downloaded from this link: http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe

Once you start the decrypter, you need to enter the 6 digit identifier assigned to your files, select a folder to scan, and then click on Decrypt to decrypt your files. When using the tool, it is suggested that you select the root of the drive such as C:\ and let the decrypter recursively scan your entire drive. If you are finding that some files, most likely shortcuts, are not properly being decrypted, you should run the program with Administrator privileges.

As always, if you have any questions, please feel free to post them here.

Known Related Ransomware Files:

%Temp%\<random>.exe
%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe

What is the infection vector for this ransomware?

Unknown.

For this situation, what does infection vector mean?

addendum:  got it, thanks!

Edited by RolandJS, 06 May 2015 - 12:07 PM.

What is the infection vector for this ransomware?

 

Included with cracked software.

Edited by SleepyDude, 07 May 2015 - 03:46 PM.

Hey, thanks for your work but your torrentunlocker works much better by this infection like this one, 90%ov mp4 and programms defekt with torrentunlocker 90% of Data are ok. only the .jpj.235485 id must change to .jpg.encrypted :-)

Not sure I understand. Your saying this is not working? If so, I will have the dev pop in.

Hello Lawrence. I got hit last night by StopPirates. My tech guy is trying (unsuccessfully so far) to restore/retrieve the files. We just tried the stoppirates decrypter program you mentioned in this post but unsuccessful. I had high hopes given the convincing words used "....Sopa/ PIPA Ransomware easily decrypted" ....Do you think you can assist me with this please? I haven't looked at the payment option yet b/c I want to try anything I can before.

Thanks.

H

If you can submit samples of the malware to http://www.bleepingcomputer.com/submit-malware.php?channel=3 we can try to update the tool.

If you can submit samples of the malware to http://www.bleepingcomputer.com/submit-malware.php?channel=3 we can try to update the tool.

Thank you so much for responding. By "samples of the malware", I assume you mean some infected/encrypted files? Thanks for letting me know and sorry if this question shows my ignorance on the topic. First time I got so seriously infected.

No we need the malware files themselves. Most likely located in the %Temp% folder.

%Temp%\<random>.exe
%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe

Good morning Lawrence! My tech guy just informed me that he has uploaded a zip file including the "stoppirates trojan" samples you have indicated. You will find them at this address  http://www.bleepingcomputer.com/submit-malware.php?channel=3 . Thanks so much for trying to help me. I look forward to hearing from you soon.

Hi, My tech guy just sent samples of an infected file + the original file via email. Thanks so very much for your assistance, Lawrence!

Here you are CosmicLove:

 

http://ransomwareanalysis.com/StopPirates_Decrypter_v2.exe

 

(If you browser complains of a malicious site, do not worry. This is the site i use to host decrypters made from infections, so they are false positives.)

Dear Nathan and Lawrence. I don't know how to thank you both!!! You program has worked perfectly. I was able to decrypt entirely my E drive (all my user files) and now the decrypter is doing its thing on the C drive for my programs. Thanks so so much for helping me so diligently.

 

For all of you guys who got affected/infected by this StopPirates trojan, do NOT pay any ransom just yet. The decrypter works. You will only need to contact Lawrence and Nathan and provide samples of the malware found here on your drive (in addition to the ID stuck at the end of your encrypted files - mine was: filename.ext.335495):

%Temp%\<random>.exe

%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe 

 

Then make sure to have a pair of encrypted AND clean file (less and 1mb in size) to give to them to test the decrypter. It will expedite the resolution process. It took them just a few hours to do all this and I was able to retrieve all my files.

 

Lesson I've learned: BACK UP YOUR FILES, folks!!!!! Use one of the many online storage services and do it automatically so you don't have to think about it.