DefendAgainst: Ransomware ‘STOP’/DJVU
In recent weeks, we have observed a spike in infections involving the STOP ransomware variant. STOP is also known as DJVU by other vendors in the industry. In this article, we’ve looked at the latest version circulating in the wild. We will look at some of the main characteristics of this malware variant, along with detections that can be used to prevent infection and IOCs that we were able to extract during analysis.
The STOP ransomware has been around for some time, dating back to 2019. The latest version has been found to be distributed broadly in the past few weeks. Like the ones in the past, this variant is a portable executable that uses a public key to encrypt data on the victim’s machine and drops a ransom note in folder directories as it goes through the entire file system encrypting files using the Salsa20 encryption algorithm. The threat actors behind STOP have gone for a flat rate of USD 980 to provide the decryption keys to victims and have also offered a ‘discounted’ rate of USD 490 if the victims contact them within 72 hours of the attack occurring. This tactic is consistent with what has been observed in the past for this ransomware group.
Based on the tactics and techniques used by the malware, it indicates that the threat actors behind it are likely from the Russian region. The malware avoids encryption explicitly on systems geo-located in or near Russia.
This section provides information that can be used to prevent infection by the STOP ransomware. We have included detections, IOC list and YARA Rules that can be used to defend against this threat.
This YARA Rule can be used to detect STOP Ransomware. Download the entire ruleset here.
The following figure has the information that can be used to create detections for this malware. Download the entire list here.
The following strings are from the unpacked malware, and these can be found in memory during and after the malware has been fully executed. This information can be used to create detections for EDR tools that can access and read memory and take actions based on detection rules applied.
Download the entire list here.
Once the STOP ransomware executes, it attempts to make a few network connections over the Internet for various purposes, such as; geo-checking, key retrieval, and further infection by downloading different malware. First, let’s look at the start of the execution of this malware.
Upon execution, the malware copies itself to the
‘C:\Users\[username]\AppData\Local\[GUID]’ directory on disk and tries to execute with escalated privileges, as shown in the figures below.
The malware then attempts to connect over the Internet to “https://api.2ip.ua/geo.json” to verify the victim’s geolocation. This link leads to a Russian site (screenshot below) that provides geolocation services based on public Internet IP addresses which the malware uses to ascertain the location of its victims. The malware has a hard-coded country codes list that is checked before it continues executing on the victim’s system and will avoid encrypting victims within these countries.
The site also offers an API-based service that the malware uses to determine the geolocation of the victim machines.
The country code list can be seen in the figure below, showing the codes in memory during execution.
Next, the malware tries to connect to a command and control URI to get the public key for encryption. As we can see in the figure below, it sends a request to this URI with a PID created for the victim.
Once the request is successful, the malware uses the public key with the ID to encrypt the victim’s data.
The malware uses a standard encryption sequence, calling in the functions required to encrypt data from start to finish. The complete sequence can be seen in the figure below, in the order of called functions.
CSP — Cryptography Service Provider
The malware queries the Registry on the victim machine to set the CSP and CSP type. Note that type shown in the figure below is ‘Type 001’ which is the ‘RSA Full’ provider.
The malware uses the Registry to set the provider type and subsequently the actual provider, which in this case happens to be RSA Full.
Next, the malware queries the Registry to determine the actual CSP as can be seen in the figure below.
The malware uses the public key obtained from the command and control server to start the process of encryption on the victim’s system.
Once the entire encryption sequence is completed for a directory, the final step is to write a ransom note to the directory with instructions on how to pay the ransom.
The figure below shows the ransom note as strings being passed onto the stack before it is written to the disk.
Finally, the ransom note is written as a ‘txt’ file to the disk. This process is repeated for all directories in which the malware encrypts data. The figure below shows the newly created ransom note “_readme.txt”.
The ransom note has the instructions on how the victims can pay to get the decryption key and provides a unique ID that the victim needs to use to get the decryption key for their machine. There is also a link to a demo video showing how the decryption tool works. The note also provides a couple of email addresses for the victims to contact the ransomware group if needed.
This version of the STOP ransomware variant encrypts the file and replaces the file-extensions to “.shgv”, as seen in the figure below.
Aside from performing common ransomware activities, this malware also tries to download and execute other malware:
This downloaded PE is a variant of the Vidar malware family.
Vidar Stealer is malware designed to steal information, mainly distributed as spam mail or cracked versions of commercial software and keygen programs. When installed, data such as infected device information, account, and history recorded in the browser is collected and sent to a command and control server.
The group behind the development or distribution (or both) of STOP ransomware may be working with the group responsible for developing the Vidar malware.
STOP ransomware has been around for quite some time now. Early occurrences of infections by this ransomware can be traced back to 2019.
Compared to some other ransomware families, the execution standard is low and it’s clear that this ransomware model is affiliation-leaning (working with other malware groups). We were able to link this malware to a different malware, the Vidar Stealer, which has been the case for quite some time.
The encryption is straightforward, with the threat actors not bothering to create their encryption algorithm or deploying any additional modules other than a downloader for a separate malware. The malware uses the Salsa20 algorithm for encryption. It is capable of both online and offline encryption.
This ransomware avoids infecting victims in and near Russia.
The ransomware seems to be targeted towards individuals or small businesses at best, as the asking price for the decryption key is not that high. They even offer an ‘early bird’ discount to top it all off.