DefendAgainst: Ransomware ‘STOP’/DJVU

Introduction

Figure 1: Quick Snapshot of STOP Ransomware

Mitigation

YARA Rule

Figure 2: YARA Ruleset for STOP Ransomware

Detections

Figure 3: Detections

IOC List

Figure 4: IOC list

Execution

Figure 5: Malware Entry-point
Figure 6: Malware copies itself to a different location
Figure 7: Spawning new process with elevated privileges
Figure 8: Geo-location service used by the malware
Figure 9: The specific API-based service the malware uses
Figure 10: Country codes of locations this malware avoids
Figure 11: URI loaded into the stack for processing
Figure 12: Connection to the C2 for public key
Figure 13: Public Key for encryption served by the C2
Figure 14: Encryption Sequence of function calls

CSP — Cryptography Service Provider

Figure 15: Malware query to Registry for the Type of CSP

RegOpenKey

Figure 16: Registry functions used to determine the CSP

RegOpenKeyExA

Figure 17: The absolute Registry path passing through the Registers
Figure 18: The CSP highlighted in the Registry
Figure 19: DLL image path to be called for the CSP
Figure 20: Second function to be called in the Encryption Sequence
Figure 21: Public key loaded
Figure 22: Ransom note ‘write’ initiated
Figure 23: Ransom note loaded into the Stack
Figure 24: Ransom note file written to the current directory
Figure 25: Ransom note with instructions on next steps
Figure 26: Files successfully encrypted

Downloader Module

Figure 27: Downloaded malware — Vidar Stealer

Conclusion

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store