DefendAgainst: Ransomware ‘STOP’/DJVU

aka DJVU

Originally published here.

In recent weeks, we have observed a spike in infections involving the STOP ransomware variant. STOP is also known as DJVU by other vendors in the industry. In this article, we’ve looked at the latest version circulating in the wild. We will look at some of the main characteristics of this malware variant, along with detections that can be used to prevent infection and IOCs that we were able to extract during analysis.

Introduction

The STOP ransomware has been around for some time, dating back to 2019. The latest version has been found to be distributed broadly in the past few weeks. Like the ones in the past, this variant is a portable executable that uses a public key to encrypt data on the victim’s machine and drops a ransom note in folder directories as it goes through the entire file system encrypting files using the Salsa20 encryption algorithm. The threat actors behind STOP have gone for a flat rate of USD 980 to provide the decryption keys to victims and have also offered a ‘discounted’ rate of USD 490 if the victims contact them within 72 hours of the attack occurring. This tactic is consistent with what has been observed in the past for this ransomware group.

Based on the tactics and techniques used by the malware, it indicates that the threat actors behind it are likely from the Russian region. The malware avoids encryption explicitly on systems geo-located in or near Russia.

Figure 1: Quick Snapshot of STOP Ransomware

Mitigation

This section provides information that can be used to prevent infection by the STOP ransomware. We have included detections, IOC list and YARA Rules that can be used to defend against this threat.

YARA Rule

This YARA Rule can be used to detect STOP Ransomware. Download the entire ruleset here.

Figure 2: YARA Ruleset for STOP Ransomware

Detections

The following figure has the information that can be used to create detections for this malware. Download the entire list here.

The following strings are from the unpacked malware, and these can be found in memory during and after the malware has been fully executed. This information can be used to create detections for EDR tools that can access and read memory and take actions based on detection rules applied.

Figure 3: Detections

IOC List

Download the entire list here.

Figure 4: IOC list

Execution

Once the STOP ransomware executes, it attempts to make a few network connections over the Internet for various purposes, such as; geo-checking, key retrieval, and further infection by downloading different malware. First, let’s look at the start of the execution of this malware.

Figure 5: Malware Entry-point

Upon execution, the malware copies itself to the
‘C:\Users\[username]\AppData\Local\[GUID]’ directory on disk and tries to execute with escalated privileges, as shown in the figures below.

Figure 6: Malware copies itself to a different location
Figure 7: Spawning new process with elevated privileges

The malware then attempts to connect over the Internet to “https://api.2ip.ua/geo.json” to verify the victim’s geolocation. This link leads to a Russian site (screenshot below) that provides geolocation services based on public Internet IP addresses which the malware uses to ascertain the location of its victims. The malware has a hard-coded country codes list that is checked before it continues executing on the victim’s system and will avoid encrypting victims within these countries.

Figure 8: Geo-location service used by the malware

The site also offers an API-based service that the malware uses to determine the geolocation of the victim machines.

Figure 9: The specific API-based service the malware uses

The country code list can be seen in the figure below, showing the codes in memory during execution.

Figure 10: Country codes of locations this malware avoids

Next, the malware tries to connect to a command and control URI to get the public key for encryption. As we can see in the figure below, it sends a request to this URI with a PID created for the victim.

Figure 11: URI loaded into the stack for processing
Figure 12: Connection to the C2 for public key

Once the request is successful, the malware uses the public key with the ID to encrypt the victim’s data.

Figure 13: Public Key for encryption served by the C2

The malware uses a standard encryption sequence, calling in the functions required to encrypt data from start to finish. The complete sequence can be seen in the figure below, in the order of called functions.

Figure 14: Encryption Sequence of function calls

CSP — Cryptography Service Provider

The malware queries the Registry on the victim machine to set the CSP and CSP type. Note that type shown in the figure below is ‘Type 001’ which is the ‘RSA Full’ provider.

Figure 15: Malware query to Registry for the Type of CSP

The malware uses the Registry to set the provider type and subsequently the actual provider, which in this case happens to be RSA Full.

RegOpenKey

Figure 16: Registry functions used to determine the CSP

RegOpenKeyExA

Next, the malware queries the Registry to determine the actual CSP as can be seen in the figure below.

Figure 17: The absolute Registry path passing through the Registers
Figure 18: The CSP highlighted in the Registry
Figure 19: DLL image path to be called for the CSP

The malware uses the public key obtained from the command and control server to start the process of encryption on the victim’s system.

Figure 20: Second function to be called in the Encryption Sequence
Figure 21: Public key loaded

Once the entire encryption sequence is completed for a directory, the final step is to write a ransom note to the directory with instructions on how to pay the ransom.

Figure 22: Ransom note ‘write’ initiated

The figure below shows the ransom note as strings being passed onto the stack before it is written to the disk.

Figure 23: Ransom note loaded into the Stack

Finally, the ransom note is written as a ‘txt’ file to the disk. This process is repeated for all directories in which the malware encrypts data. The figure below shows the newly created ransom note “_readme.txt”.

Figure 24: Ransom note file written to the current directory

The ransom note has the instructions on how the victims can pay to get the decryption key and provides a unique ID that the victim needs to use to get the decryption key for their machine. There is also a link to a demo video showing how the decryption tool works. The note also provides a couple of email addresses for the victims to contact the ransomware group if needed.

Figure 25: Ransom note with instructions on next steps

This version of the STOP ransomware variant encrypts the file and replaces the file-extensions to “.shgv”, as seen in the figure below.

Figure 26: Files successfully encrypted

Downloader Module

Aside from performing common ransomware activities, this malware also tries to download and execute other malware:

Figure 27: Downloaded malware — Vidar Stealer

This downloaded PE is a variant of the Vidar malware family.
Vidar Stealer is malware designed to steal information, mainly distributed as spam mail or cracked versions of commercial software and keygen programs. When installed, data such as infected device information, account, and history recorded in the browser is collected and sent to a command and control server.

The group behind the development or distribution (or both) of STOP ransomware may be working with the group responsible for developing the Vidar malware.

Conclusion

STOP ransomware has been around for quite some time now. Early occurrences of infections by this ransomware can be traced back to 2019.

Compared to some other ransomware families, the execution standard is low and it’s clear that this ransomware model is affiliation-leaning (working with other malware groups). We were able to link this malware to a different malware, the Vidar Stealer, which has been the case for quite some time.

The encryption is straightforward, with the threat actors not bothering to create their encryption algorithm or deploying any additional modules other than a downloader for a separate malware. The malware uses the Salsa20 algorithm for encryption. It is capable of both online and offline encryption.

This ransomware avoids infecting victims in and near Russia.

The ransomware seems to be targeted towards individuals or small businesses at best, as the asking price for the decryption key is not that high. They even offer an ‘early bird’ discount to top it all off.

References

Deep Analysis of Vidar Stealer — Sojun Ryu
YAYA ruleset for STOP Ransomware — Vishal Thakur
Detections list for STOP Ransomware — Vishal Thakur
IOC list of STOP Ransomware — Vishal Thakur

Intezer Analysis

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.