STOP Ransomware Spreads through Discord, Carrying RedLine Stealer

STOP Ransomware Spreads through Discord, Carrying RedLine Stealer
STOP/Djvu ransomware gang chose a new malware spreading place - Discord

An infamous STOP/Djvu ransomware adopted a new spreading tactic. According to the report of Avast Threat Labs, a malware intelligence group, ransomware distributors opted for Discord as a place to spread their malware.

STOP/Djvu spreads in Discord, features RedStealer

According to the latest notifications, STOP/Djvu ransomware is getting spread through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but the password is very simple – 1234. That is a pretty typical action when users share something on social networks. However, inside of this package there is an executable file of Djvu malware – probably the .vveo and .vvew variants. The threat landscape touches the users from Argentina, Vietnam, Turkey and Brazil.

The exact file is additionally disguised – in order to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an invalid AVG certificate embedded and AceCrypter protection, which can make it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP/Djvu ransomware. Earlier, they were masking their malware by a specific repacking, that required the special database signatures to counteract. Is the certificate just an experimental feature, or a new approach – only crooks know.

Spreading model is also worth a separate note. Before, Djvu gang was reportedly creating fake one-day sites with torrent downloadings of popular content. Popular films or sitcoms, new games – they always have a suitable disguise. However, it is a common case for the group which applies a Ransomware-as-a-service scheme. One distribution team may just test this spreading approach.

STOP/Djvu ransomware comes with RedLine stealer

Again, the supplementary spyware is not a new thing for Djvu ransomware. Earlier versions of this malware were carrying the legendary Azorult spyware, which appeared in 2016. Since its adoption in 2020, STOP/Djvu group has been stealthily grabbing the victims’ credentials to sell them later in the Darknet. RedLine is younger – it is active since 2020 – and has several unique features that possibly make it more desirable for the developers. Again, that is not clear if such a change is temporal or not – Azorult and RedLine have similar functionality. The worst part of it is that victims still should change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.

RedLine Stealer VirusTotal
RedLine Stealer detections on VirusTotal

What is STOP/Djvu ransomware?

This ransomware family is worth to say several words about. After appearing in 2017, this ransomware quickly gained a large share on the ransomware arena. It aims at individual users, and asks for $450-$900 for file decryption. This ransomware uses AES-256 cipher in CFB mode along with RSA algorithm. Currently, there are several possible solutions to decrypt the files after STOP/Djvu ransomware attack, but most of them rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable – unless you pay the ransom or have your files backed up. There is also the possibility to get your files back after the gang dissolution – but such an occasion has a pretty low possibility. STOP/Djvu gang is running for too long to cease to exist, in the worst case scenario it will just decrease its activity.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published.