This week, IT security experts discovered a new ransomware. It is named ‘Stare file virus‘ and used malware to infect Microsoft Windows computers. It encrypts documents, photos and music, adding the .stare extension to the names of all encrypted files, on all attached data storage a short time after the system has been infected.
Files encrypted by .stare virus
Stare virus encrypts almost of files, including common as:
.bik, .srw, .css, .dba, .ff, .wma, .mef, .map, .xxx, .wbc, .dmp, .fsh, .dbf, .yml, .wsd, .docm, .wgz, .tor, .xld, .x3f, .mov, .wpw, .upk, .desc, .0, .kdb, .xlk, .pptm, .asset, .nrw, .accdb, .wotreplay, .mdbackup, .fpk, .wp, .xll, .pdf, .xmmap, .dcr, .avi, .vcf, .xbdoc, .docx, .p7b, .wmf, .wn, .odt, .ppt, .zip, .ods, .wp4, .wpd, .xar, .xdb, .hvpl, .sql, .fos, .wire, .kf, .7z, .jpe, .esm, .rgss3a, .x3d, .3fr, .xlsm, .sid, .vtf, .t12, .itl, .lbf, .tax, .p7c, .litemod, .qdf, .cr2, .gdb, .jpg, .xpm, .vdf, .rb, .pdd, .odc, .epk, .bar, .mdb, .crw, .layout, .pem, .m4a, .ntl, .ptx, .bsa, .wma, .zip, .xlgc, .lrf, .wcf, .lvl, .wb2, .iwi, .wpd, .gho, .crt, .odp, .js, .wpb, .xx, .mdf, .3ds, .cas, .xls, .m3u, .ysp, .1st, .wm, .r3d, .wmv, .xml, .eps, .jpeg, .psd, .wpe, .wsc, .1, .y, .syncdb, .cfr, .wbz, .menu, .big, .xmind, .bc6, .wdb, .wmo, .w3x, .bc7, .svg, .slm, .arw, .wdp, .zi, .xdl, .orf, .re4, .xf, .zdb, .wbm, .mrwref, .sb, .pst, .xlsx, .sis, .erf, .mcmeta, .wmd, .png, .rofl, .3dm, .indd, .wps, .pptx, .bkp, .p12, .xy3, .psk, .ztmp, .hkx, .forge, .x3f, .wpg, .rw2, .wp7, .z3d, .iwd, .sr2, wallet, .das, .pak, .hkdb, .cer, .wbmp, .zdc, .vpp_pc, .itm, .qic, .ibank, .wmv, .dazip, .wbd, .2bp, .vpk, .xwp, .txt, .xyw, .zw, .mp4, .wpl, .x, .sum, .pkpass, .cdr, .pef, .pfx, .dng, .wp5, .mlx, .xlsm, .itdb, .odm, .wav, .ybk, .xbplate, .ai, .rim, .wpt, .db0, .xlsb, .der, .sidd, .z, .hplg, .ncf, .mddata, .sie, .d3dbsp, .rwl, .ws, .rtf, .wbk, .rar, .raf, .xls, .blob, .apk, .odb, .py, .wsh, .raw, .xlsx, .webdoc, .sav, .wpa, .zif, .yal, .dxg, .icxs, .wps, .csv, .snx, .sidn, .vfs0, .mpqge, .doc, .kdc, .ltx, .bkf, .webp, .flv
With the encryption work is complete, all affected files will now have the new .stare extension appended to them. Stare virus drops a file named ‘_readme.txt’. This file contains a ransom message that is written in the English language. The ransom instructions directs victims to make payment in exchange for the decrypt tool and private key needed to decrypt files.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6tYZko8NMj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch Reserve e-mail address to contact us: gorentos2@firemail.cc Your personal ID:
Threat Summary
| Name | Stare |
| Type | Ransomware, Filecoder, File locker, Crypto malware, Crypto virus |
| Encrypted files extension | .stare |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, gorentos2@firemail.cc |
| Ransom amount | $490,$980 in Bitcoins |
| Symptoms | Your documents, photos and music fail to open. All of your photos, documents and music have a odd file extension appended to the filenames. Files named such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
| Distribution ways | Spam or phishing emails that are made to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected web-page and then malware is installed without the user’s knowledge). Social media, like web-based instant messaging programs. Cybercriminals use suspicious advertisements to distribute malicious software with no user interaction required. |
| Removal | To remove Stare ransomware use the removal guide |
| Decryption | To decrypt Stare ransomware use the steps |
Quick links
How to remove Stare ransomware virus
Using a malware removal tool to scan for and remove ransomware virus hiding on your machine is probably the easiest method to uninstall the Stare ransomware. We recommends the Zemana Anti-Malware application for Windows PC systems. MalwareBytes and KVRT are other anti malware utilities for Windows that offers a free malware removal.
Run Zemana AntiMalware (ZAM) to remove Stare virus
Zemana Anti Malware (ZAM) can detect all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Stare ransomware virus, you can easily and quickly remove it.
Visit the page linked below to download the latest version of Zemana for MS Windows. Save it on your MS Windows desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is complete, close all programs and windows on your PC. Double-click the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana on your PC. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, Zemana will automatically start and you can see its main screen as shown on the screen below.
Now click the “Scan” button to scan for Stare ransomware, other malicious software, worms and trojans. While the utility is scanning, you may see count of objects and files has already scanned.
As the scanning ends, you’ll be shown the list of all detected items on your machine. In order to delete all threats, simply press “Next” button. The Zemana will remove Stare ransomware, other malicious software, worms and trojans and move items to the program’s quarantine. After the procedure is done, you may be prompted to restart the computer.
How to automatically remove Stare virus with MalwareBytes AntiMalware (MBAM)
We suggest using the MalwareBytes AntiMalware (MBAM) that are fully clean your personal computer of the crypto malware. This free tool is an advanced malicious software removal program developed by (c) Malwarebytes lab. This program uses the world’s most popular anti malware technology. It is able to help you delete ransomware virus, potentially unwanted applications, malware, adware software, toolbars, and other security threats from your computer for free.
Click the following link to download the latest version of MalwareBytes Anti Malware for MS Windows. Save it to your Desktop so that you can access the file easily.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is done, close all software and windows on your computer. Double-click the install file called mb3-setup. If the “User Account Control” prompt pops up as shown in the figure below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes Free on your computer. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, click Finish button. MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main screen similar to the one below.
Now click the “Scan Now” button to begin checking your machine for the Stare crypto malware and other security threats. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see how many objects and files has already scanned.
As the scanning ends, MalwareBytes will display a screen which contains a list of malicious software that has been found. Review the scan results and then press “Quarantine Selected” button. The MalwareBytes Anti-Malware (MBAM) will begin to remove Stare ransomware, other malicious software, worms and trojans. After the process is finished, you may be prompted to reboot the computer.
We recommend you look at the following video, which completely explains the process of using the MalwareBytes Anti-Malware to remove adware, browser hijacker and other malicious software.
Scan your system and delete Stare ransomware virus with KVRT
KVRT is a free removal utility that can be downloaded and run to uninstall ransomwares, adware software, malicious software, potentially unwanted programs, toolbars and other threats from your PC. You can run this tool to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your PC from the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen such as the one below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the Stare ransomware virus . A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the KVRT is scanning, you can see how many objects it has identified either as being malicious software.
As the scanning ends, you can check all items found on your PC system such as the one below.
You may delete threats (move to Quarantine) by simply click on Continue to begin a cleaning task.
Decrypt .stare files with STOPDecrypter
With some variants of Stare file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Stare decryption tool named STOPDecrypter. It can decrypt .stare files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Stare decryption tool
STOPDecrypter is a program that can be used for Stare files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .stare files using this free tool.
- Visit the following page to download the latest version of STOP Decrypter for MS Windows. Save it to your Desktop.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - Once the downloading process is finished, close all programs and windows on your system. Open a file location.
- Right-click on the icon that’s named STOPDecrypter.zip. Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is done, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .stare files, in some cases, you have a chance to restore your personal files, which were encrypted by ransomware virus. This is possible due to the use of the utilities named ShadowExplorer and PhotoRec. An example of recovering encrypted personal files is given below.
How to restore .stare files
In some cases, you can recover files encrypted by Stare crypto malware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Run ShadowExplorer to restore .stare files
A free tool called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can restore .stare files encrypted by the Stare crypto malware from Shadow Copies for free.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your MS Windows Desktop by clicking on the link below.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, extract the downloaded file to a directory on your system. This will create the necessary files such as the one below.
Start the ShadowExplorerPortable application. Now select the date (2) that you wish to recover from and the drive (1) you want to recover files (folders) from as displayed below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .stare files
Before a file is encrypted, the Stare crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore programs like PhotoRec.
Download PhotoRec by clicking on the following link.
When the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen as shown below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents like the one below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Stare crypto virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your personal computer from Stare ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Microsoft Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it on your MS Windows desktop.
Once the download is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is launched, you’ll be displayed a window where you can choose a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.
To sum up
Now your personal computer should be clean of the Stare ransomware. Uninstall MalwareBytes and Kaspersky virus removal tool. We recommend that you keep Zemana AntiMalware (to periodically scan your system for new malicious software). Moreover, to prevent crypto virus, please stay clear of unknown and third party programs, make sure that your antivirus application, turn on the option to block or search for ransomware.
If you need more help with Stare crypto virus related issues, go to here.
