Ransom:Win32/StopCrypt.PBQ!MTB: What It Means and What to Do

Ransom:Win32/StopCrypt.PBQ!MTB is a Microsoft Defender detection associated with ransomware behavior. Treat it as urgent, especially if files were renamed, encrypted, or ransom notes appeared.

What is Ransom:Win32/StopCrypt.PBQ!MTB?

This detection points to a ransomware-type threat. Ransomware attempts to encrypt personal files and then demand payment for a decryptor. The exact impact depends on whether Defender blocked the file before it ran or found it after activity had already started.

Immediate steps

1. Disconnect the PC from the network to reduce spread and data access.
2. Do not delete ransom notes or suspicious files until you record evidence.
3. Check whether files were renamed, encrypted, or made unreadable.
4. Let Defender quarantine the detected item.
5. Do not attach backups until the machine is clean.

Removal and recovery checklist

1. Run a full scan and remove detected items.
2. Check Startup apps, services, scheduled tasks, and recent downloads.
3. Scan external drives separately before reconnecting them.
4. Restore files only from clean backups.
5. Change passwords from a clean device if the malware may have run.

Should you pay?

Paying does not guarantee recovery and can fund more attacks. First preserve evidence, clean the system, check backups, and look for trusted decryptor information from reputable security projects.

FAQ

Does this always mean my files are encrypted?

No. Defender may have blocked the ransomware before encryption. Check file names, ransom notes, and recent file changes.

Can I restore from backup?

Yes, but only after the PC and backup drive are verified clean.

Should I run the computer normally after the alert?

No. Disconnect from the network and investigate before continuing normal use.