An infamous STOP/Djvu ransomware adopted a new spreading tactic. According to the report of Avast Threat Labs, a malware intelligence group, ransomware distributors opted for Discord as a place to spread their malware.
STOP/Djvu spreads in Discord, features RedStealer
According to the latest notifications, STOP/Djvu ransomware is getting spread through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but the password is very simple – 1234. That is a pretty typical action when users share something on social networks. However, inside of this package there is an executable file of Djvu malware – probably the .vveo and .vvew variants. The threat landscape touches the users from Argentina, Vietnam, Turkey and Brazil.
New campaign spreading on Discord, distributing STOP ransomware and RedLine stealer. The file is shared as an encrypted 7zip attachment. The malware is further protected by AceCrypter and has an embedded (invalid) AVG certificate.
— Avast Threat Labs (@AvastThreatLabs) August 2, 2022
The exact file is additionally disguised – in order to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an invalid AVG certificate embedded and AceCrypter protection, which can make it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP/Djvu ransomware. Earlier, they were masking their malware by a specific repacking, that required the special database signatures to counteract. Is the certificate just an experimental feature, or a new approach – only crooks know.
Spreading model is also worth a separate note. Before, Djvu gang was reportedly creating fake one-day sites with torrent downloadings of popular content. Popular films or sitcoms, new games – they always have a suitable disguise. However, it is a common case for the group which applies a Ransomware-as-a-service scheme. One distribution team may just test this spreading approach.
STOP/Djvu ransomware comes with RedLine stealer
Again, the supplementary spyware is not a new thing for Djvu ransomware. Earlier versions of this malware were carrying the legendary Azorult spyware, which appeared in 2016. Since its adoption in 2020, STOP/Djvu group has been stealthily grabbing the victims’ credentials to sell them later in the Darknet. RedLine is younger – it is active since 2020 – and has several unique features that possibly make it more desirable for the developers. Again, that is not clear if such a change is temporal or not – Azorult and RedLine have similar functionality. The worst part of it is that victims still should change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.
What is STOP/Djvu ransomware?
This ransomware family is worth to say several words about. After appearing in 2017, this ransomware quickly gained a large share on the ransomware arena. It aims at individual users, and asks for $450-$900 for file decryption. This ransomware uses AES-256 cipher in CFB mode along with RSA algorithm. Currently, there are several possible solutions to decrypt the files after STOP/Djvu ransomware attack, but most of them rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable – unless you pay the ransom or have your files backed up. There is also the possibility to get your files back after the gang dissolution – but such an occasion has a pretty low possibility. STOP/Djvu gang is running for too long to cease to exist, in the worst case scenario it will just decrease its activity.