The STOP Ransomware family, also denominated the STOP Djvu Ransomware family, is a threatening piece of malware. The STOP Djvu is just one of the multiple threats that share common characteristics and originate from the STOP ransomware, even though some of their methods to affect file types and encrypt file extensions differ.
The original STOP Ransomware was spotted by security researchers as early as February 2018. However, since then it has evolved, and its family of clones and offshoots has grown. The primary method of distribution of the STOP ransomware was spam email campaigns using corrupted attachments.
The STOP Djvu Ransomware performs in a way similar to other ransomware threats of its kind, encrypting and blocking access to key files users may be utilizing in their system. Personal files, pictures, documents and more can be encrypted and essentially disabled for all users on the machine. STOP Djvu Ransomware was first spotted back in December 2018 in what appeared to be a pretty successful campaign of infection online. Researchers were unaware of the way the ransomware spread, but later victims reported they were discovering infections after they were downloading keygens or cracks. Once the infiltration occurs, STOP Djvu ransomware changes the Windows settings, appending files with a range of names, such as .djvu, .djvus, .djvuu, .uudjvu, .udjvu or .djvuq and the recent .promorad and .promock extensions. The newer versions don't have a decryptor yet, but the older ones can be decrypted using the STOPDecrypter. Users are advised to avoid paying any ransom, no matter what.
The method used to block access to the files uses the RSA encryption algorithm. Although the decryption of the files may seem hard for inexperienced users, there is definitely no need to make any effort to pay the people behind the threat. False promises are usually given in such situations, so users may quickly find out they are ignored once payments were made.
Attacks of the STOP Djvu Ransomware were first reported in late 2018. The main method of distribution for the STOP Djvu remained spam emails and tweaks to the core of the ransomware were relatively minor. The majority of fake, compromised attachments used in the spam emails were macro-enabled office documents or fake PDF files that would run the ransomware without the victim's knowledge. The behavior of the STOP Djvu has not changed much either - the ransomware still deleting all the Shadow Volume snapshots to get rid of backups, then starts encrypting the victim's files.
There are minor changes to the ransom note, which is saved as '_openme.txt' to the victim's desktop. The text of the ransom note can be found here:
’[ransom note start]
———————— ALL YOUR FILES ARE ENCRYPTED ————————
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID: [string]
[ransom note end]’
The ransomware limited itself to renaming the encrypted files with the .djvu extension originally, which was a curious choice because .djvu is actually a legitimate file format developed by the AT&T Labs and used for storing scanned documents, somewhat similar to the Adobe's .pdf. Later versions of the ransomware adopted a series of other extensions for encrypted files, including '.chech,' '.luceq,' '.kroput1,' '.charck,' '.kropun,,' .luces,' '.pulsar1,' '.uudjvu,' '.djvur,’ '.tfude,' '.tfudeq' and '.tfudet'.
Certain strains of the STOP Djvu ransomware can be decrypted for free, using the so-called 'STOPDecrypter' that was developed by the security researcher Michael Gillespie and is available online as a free download.