STOP Djvu Ransomware

STOP Djvu Ransomware Image

The STOP Ransomware family, also denominated the STOP Djvu Ransomware family, is a threatening piece of malware. The STOP Djvu is just one of the multiple threats that share common characteristics and originate from the STOP ransomware, even though some of their methods to affect file types and encrypt file extensions differ.

The original STOP Ransomware was spotted by security researchers as early as February 2018. However, since then it has evolved, and its family of clones and offshoots has grown. The primary method of distribution of the STOP ransomware was spam email campaigns using corrupted attachments.

The STOP Djvu Ransomware performs in a way similar to other ransomware threats of its kind, encrypting and blocking access to key files users may be utilizing in their system. Personal files, pictures, documents and more can be encrypted and essentially disabled for all users on the machine. STOP Djvu Ransomware was first spotted back in December 2018 in what appeared to be a pretty successful campaign of infection online. Researchers were unaware of the way the ransomware spread, but later victims reported they were discovering infections after they were downloading keygens or cracks. Once the infiltration occurs, STOP Djvu ransomware changes the Windows settings, appending files with a range of names, such as .djvu, .djvus, .djvuu, .uudjvu, .udjvu or .djvuq and the recent .promorad and .promock extensions. The newer versions don't have a decryptor yet, but the older ones can be decrypted using the STOPDecrypter. Users are advised to avoid paying any ransom, no matter what.

The method used to block access to the files uses the RSA encryption algorithm. Although the decryption of the files may seem hard for inexperienced users, there is definitely no need to make any effort to pay the people behind the threat. False promises are usually given in such situations, so users may quickly find out they are ignored once payments were made.

Attacks of the STOP Djvu Ransomware were first reported in late 2018. The main method of distribution for the STOP Djvu remained spam emails and tweaks to the core of the ransomware were relatively minor. The majority of fake, compromised attachments used in the spam emails were macro-enabled office documents or fake PDF files that would run the ransomware without the victim's knowledge. The behavior of the STOP Djvu has not changed much either - the ransomware still deleting all the Shadow Volume snapshots to get rid of backups, then starts encrypting the victim's files.

There are minor changes to the ransom note, which is saved as '_openme.txt' to the victim's desktop. The text of the ransom note can be found here:

’[ransom note start]
———————— ALL YOUR FILES ARE ENCRYPTED ————————

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.

——————————————————————————————————-

To get this software you need write on our e-mail:
helpshadow@india.com

Reserve e-mail address to contact us:
helpshadow@firemail.cc

Your personal ID: [string]
[ransom note end]’

The ransomware limited itself to renaming the encrypted files with the .djvu extension originally, which was a curious choice because .djvu is actually a legitimate file format developed by the AT&T Labs and used for storing scanned documents, somewhat similar to the Adobe's .pdf. Later versions of the ransomware adopted a series of other extensions for encrypted files, including '.chech,' '.luceq,' '.kroput1,' '.charck,' '.kropun,,' .luces,' '.pulsar1,' '.uudjvu,' '.djvur,’ '.tfude,' '.tfudeq' and '.tfudet'.

The STOP/Djvu Ransomware family is very prolific because cybercriminals have been using its template to create countless, threatening variants. Some of these variants include Aeur Ransomware, Bbii Ransomware, Bbnm Ransomware, Bbzz Ransomware, Bbyy Ransomware, Bnrs Ransomware, Byya Ransomware, Ckae Ransomware, Dmay Ransomware, Dewd Ransomware, Dfwe Ransomware, Eegf Ransomware, Errz Ransomware, Ewdf Ransomware, Fdcv Ransomware, Fefg Ransomware, Gcyi Ransomware, Ghas Ransomware, Hruu Ransomware, Hhjk Ransomware, Ifla Ransomware, Jhbg Ransomware, Jhdd Ransomware, Kxde Ransomware, Kruu Ransomware, Loov Ransomware, Mine Ransomware, Mmob Ransomware, Nnuz Ransomware, Nuhb Ransomware, OOII Ransomware, PPHG Ransomware, Qall Ransomware, Qlnn Ransomware, Rrcc Ransomware, Rrbb Ransomware, Rryy Ransomware, Sijr Ransomware, Tuid Ransomware, Uihj Ransomware, Uyjh Ransomware, Vomm Ransomware, Wnlu Ransomware, Xcbg Ransomware, Ygvb Ransomware, Zfdv Ransomware and Zpps Ransomware.

Certain strains of the STOP Djvu ransomware can be decrypted for free, using the so-called 'STOPDecrypter' that was developed by the security researcher Michael Gillespie and is available online as a free download.

Table of Contents

Toggle

STOP Djvu Ransomware Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

STOP Djvu Ransomware Screenshots

Analysis Report

General information

Family Name:	STOP/DJVU Ransomware
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: def8a7bfe5fe47d95a95085d8dbc7a53 SHA1: 7182d4b2f55a560d83edf0824e119f71fa8422b6 SHA256: B83855EA63E7F28396099A5B6E877BE537E78E4A50DF720262461A1D13B02192 File Size: 6.29 MB, 6292105 bytes

MD5: a6b8c0cb178c31dd347554c3e5a0d5f8 SHA1: 91864f269d696ee80869cfeb3c9a204f8031a3bb SHA256: 4FFB8E9ADF508662B5E51CBEC75B2E07CE1CBBFAAB873F72EDC7BAC385421E2C File Size: 3.47 MB, 3471869 bytes

MD5: 2336c9624d9a44c393d354206226f508 SHA1: ea7edc388ad62990f52b9ed40df26d20f4e20190 SHA256: CE48ED04C92143B7E91F9665DD9337B2EE0B9CC1B5AEE534D26C09E084F8ABB0 File Size: 1.36 MB, 1359918 bytes

MD5: 42f32aa699bc45a3638ddeb325ebebc1 SHA1: 508cea3ba2bf04cc6851295f92bf0e752071f6b8 SHA256: 16532B38591B713395C288B11610494BCC4C4537BE492D43C54D66FEB7B95FA4 File Size: 1.33 MB, 1328186 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	This installation was built with Inno Setup.
Company Name	Alexander Roshal WinTools Software Engineering, Ltd.
File Description	Gestione archivi WinRAR RAM Saver Professional
File Version	26.0.1 25.7.1 6.20.2 1.00
Internal Name	TJprojMain WinRAR
Legal Copyright	Copyright © Alexander Roshal 1993-2022
Original Filename	TJprojMain.exe WinRAR.exe
Product Name	Project1 RAM Saver 25.7.1 Professional RAM Saver 26.0.1 Professional WinRAR
Product Version	26.0.1 25.7.1 6.20.2 1.00

File Traits

• 2+ executable sections
• big overlay
• HighEntropy
• Installer Manifest
• No Version Info
• RAR (In Overlay)
• RARinO
• SusSec
• vb6
• WinRAR SFX

Show More

• WRARSFX
• x86

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\temp\is-13e8d.tmp\508cea3ba2bf04cc6851295f92bf0e752071f6b8_0001328186.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-88uan.tmp\ea7edc388ad62990f52b9ed40df26d20f4e20190_0001359918.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-pk5hm.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-shkd6.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Other Suspicious	SetWindowsHookEx
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Keyboard Access	GetKeyState

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

"C:\Users\Lehsoaco\AppData\Local\Temp\is-88UAN.tmp\ea7edc388ad62990f52b9ed40df26d20f4e20190_0001359918.tmp" /SL5="$5036E,928289,131584,c:\users\user\downloads\ea7edc388ad62990f52b9ed40df26d20f4e20190_0001359918"

"C:\Users\Dfhrhqtz\AppData\Local\Temp\is-13E8D.tmp\508cea3ba2bf04cc6851295f92bf0e752071f6b8_0001328186.tmp" /SL5="$802E8,896816,131584,c:\users\user\downloads\508cea3ba2bf04cc6851295f92bf0e752071f6b8_0001328186"