Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowOCTOBER 18, 2023
This blog post comes from the “Stop/Djvu Ransomware Technical Analysis” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.
Stop/Djvu ransomware is a malicious computer virus that aims to encrypt all files on the system and make them inaccessible and it can use many different extensions to mark encrypted files. The malware also creates money-demanding notes in each folder, naming them as _readme.txt.The cybercriminals demand paying a ransom to them in exchange for data decryption tools.
The ransom note contains two email addresses that victims are instructed to contact within 72 hours to avoid the ransom amount increasing from $490 to $980 for the decryption tools. It is emphasized that the decryption of files is only possible with the purchase of decryption software and a unique key.
The analyzed malware exhibits multiple functionalities. Upon execution, it loads additional libraries, generates shellcode at runtime, and creates a self-copy. The main payload is then injected, and a UUID is generated to use as the directory’s name, where the malware is copied. The malware uses XOR encryption with a hardcoded key to decrypt relevant strings and hashes the buffer containing the MAC address using MD5.
To achieve persistence, the ransomware employs the ITaskService interface of the TaskScheduler COM object to create a scheduled task and create a mutex value. Once persistence is established, the malware encrypts all files on the system and communicates with its C2 server using WinINet functions.
File Name: 7d208dd86e75c9c5900a85b08ef0b070.exe
MD5: 7d208dd86e75c9c5900a85b08ef0b070
SHA-1: 79a453d4e5403307b54205094ded4e5ff0382c71
SHA256: 4380c45fd46d1a63cffe4d37cf33b0710330a766b7700af86020a936cdd09cbe
File Name: stop.exe
MD5: 74c7126ff188eb5f72fee4b4eb4cfc23
SHA-1: c9545f039159ceb8413b2ca6d83b06dca86b5839
SHA256: adeb345ba0d60fecdb0823d0cb713c933900ecb545025ec8cc3f442d844af24b
Stop/Djvu is a family of ransomware that was first discovered in 2018. The malware was originally designed to encrypt user files and demand a ransom payment for their decryption. In 2019, a new variant of Stop/Djvu emerged that used a different encryption algorithm, making it more difficult to decrypt files without paying the ransom. Since then, new ransomware variants have continued to be released, with the most recent versions using more advanced obfuscation techniques to evade detection.
Stop/Djvu primarily targets individual users and small businesses running Windows operating systems. The delivery method typically involves the use of software cracks or illegal activation tools, which are often downloaded from torrent sites or other untrustworthy sources. These cracks or activation tools are disguised as legitimate software and can be bundled with Stop/Djvu ransomware, infecting the victim’s system upon installation.
Another delivery method involves spam emails containing malicious attachments, such as fake invoices or job offers, which download and execute the ransomware when opened.
Download IoCs and YARA Rules from GitHub.
This blog post comes from the “Stop/Djvu Ransomware Technical Analysis” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.
Take control of your digital security with an exclusive demo of our powerful threat management platform.
