STOP/Djvu Ransomware - What is it?

STOP/Djvu Ransomware uses the Salsa20 encryption algorithm. This ransomware family is one of the most popular infection in 2024 year.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

What is STOP/Djvu Ransomware? - Keep Your Privacy Well

STOP/Djvu Ransomware

January 22, 2024

You're not alone if your JPEG images are encrypted by STOP/Djvu ransomware. Many people face these issues with their photos and videos and victims cannot access them after ransomware attacks.

What is STOP/Djvu Ransomware?

Ransomware is the most unpleasant thing you can encounter in cyberspace. Not only do they often ask for colossal sums of money, but even after paying the ransom, it is only sometimes possible to decrypt these files correctly.

FamilySTOP/Djvu Ransomware
File Extensions looy, vook, kool, nood, wiaw, wisz, lkfr, lkhy, ldhy, cdxx, cdcc, and etc.
Ransom Note_readme.txt
AlgorithmSalsa20
RansomFrom $999 to $1999 (in Bitcoins)
DetectionRansom.Win32.STOP.bot, Ransom.Win32.STOP.gd, Ransom.Win32.STOP.dd, Ransom.Win32.STOP.vb
Damage
  1. ⮞ Encrypts only first 150Kb of files;
  2. ⮞ Can delete Volume Shadow copies to make victim’s attempts to restore data impossible;
  3. ⮞ Installs password-stealing malware Redline, Vidar, Amadey, DcRat on the victim's device before encryption;
Distribution
  1. ⮞ Pirate software and torrents;
  2. ⮞ Malicious scripts;
  3. ⮞ Shady sites offering to download videos.

STOP/Djvu is just one of many threats that share common characteristics and origins with STOP ransomware, but some methods of affecting file types and encrypting file extensions differ. Ransomware got its nickname because one of the first integrations of the program added the *.djvu extension to encrypted files. However, it is worth noting that *.djvu is a legitimate file format that AT&T developed for storing scanned documents, similar to the Adobe *.pdf format.

Received STOP/Djvu Samples

How it works?

Although the original STOP ransomware was discovered back in February 2018, it has since evolved, and its family of clones and offshoots has grown. The new DJVU variants include several layers of obfuscation, which aim to slow verification by researchers as well as automated analysis tools. STOP/DJVU uses RSA encryption, one of the most commonly used ransomware groups, focusing on Windows operating systems. There are two key options, offline and online keys.

  • OFFLINE KEY - indicates that the files are encrypted in offline mode.
  • ONLINE KEY – was generated by the ransomware server. It means that the ransomware server generated a random set of keys used to encrypt files. Decrypt such files is not possible.

As previously mentioned, there are about 600 STOP/DJVU variants. Hence, extensions added to the encrypted files are different among them: .looy, .vook, .kool, .nood, .wiaw, .wisz, .lkfr, .lkhy, .ldhy, .cdxx, .cdcc, and others. After STOP/DJVU invades the system, it automatically downloads various programs that help the ransomware encrypt all the files without interruption. At the end of the encryption, a text file is left with instructions for the victim to contact the group to pay the ransom. Unfortunately, there is no guarantee that you can restore your files after you pay the ransom.

STOP/Djvu Ransom Note: "_readme.txt"

Ransom note is the same for the whole ransomware family. In fact, it is one of the main signs of to which family the certain ransomware belongs. Here is the typical note for STOP/Djvu family:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Do not ask assistants from youtube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool:
https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a
Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that's price for you is $499.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
****************

How does STOP/Djvu infection happen?

Since DJVU has no predetermined infection method, the infection vector of DJVU can vary. Because of this, attackers have a reasonably flexible approach, making it difficult for defenders to predict and detect initial signs of compromise. For example, spam emails using corrupted attachments were the primary method of spreading ransomware. However, STOP/Djvu can masquerade as a wide range of file types on pirate torrent sites.

Pirate software and torrents

The most common ways to catch this contagion are attempts to download hacked software with the license check disabled. However, since antivirus almost always react to keygens, the description of such programs usually says, "disable antivirus software during installation". Thus, the user himself gives the green light to the ransomware.

Fake .exe

Another popular infection route is through fake file extensions. For example, inexperienced users trying to download some file, such as a word document, may come across a file with a double *.dox.exe extension. In this case, the last extension will be the real one, which the user most likely won't even notice, as the file icon will be identical to the actual .dox file. Therefore, keeping an eye on the extensions, you download to your computer is essential.

Malicious scripts

STOP/Djvu ransomware can also spread through malicious scripts. Usually, such scripts can be found on suspicious sites. For example, when you visit many porn sites on unsafe networks or share files using these platforms, sooner or later it will infect your computer sooner or later. In addition, when you click on misleading pop-ups or banners on these platforms, it can lead to frequent redirects of your browser to the site. Finally, when you sign up for alerts or push notifications on these platforms, the malware will gain access to your computer.

Spam

Criminals send spam emails with fake information in the header, leading the victim to believe it was sent by a shipping company such as DHL or FedEx. The email tells the victim that they tried to deliver the package to you but were unsuccessful. Sometimes emails claim to be notices of a shipment you made. However, the email contains an attached infected file. Opening it will not end well.

Also, DJVU often collaborates with other malware: Redline, Vidar, Amadey, DcRat, etc. For example, it can deploy information stealers on the victim's device before encrypting it. This relationship with other malware families makes DJVU even more destructive. In addition, DJVU itself can be deployed as a payload of the SmokeLoader family of malware droppers.

Step by step STOP/Djvu execution

STOP/Djvu ransomware begins its execution chain with several levels of obfuscation designed to slow down the analysis of its code by threat analysts and automated sandboxes. DJVU's malicious activity begins when it re-protects the heap section for the executable file to load some encrypted shellcode contained in the starting Portable Executable (PE). This first stage of the shellcode is encrypted using the Tiny Encryption Algorithm (TEA). The malware authors made a separate effort to hide the encryption constants as an additional method of anti-analysis. This was probably done to avoid detection since malware usually uses the TEA algorithm.

This first shellcode stage then unpacks the second, encrypted using a basic XOR algorithm, where the key is changed using a predictable pseudorandom number generation algorithm. It is then loaded into memory using the more usual Virtual Alloc method. The second step of the shell code starts a new process using the same binary. Finally, it uses a process cleanup to inject an untangled copy of the malware into the new process. This is where the payload finally starts to work.

The threat's malicious activity begins by figuring out where the victim's device is territorially located. To do this, it checks the device's location using the GeoIP search service using the following GET request to api.2ip.ua/geo.json.

2ip-ua

Next, the malware connects to this site using InternetOpenUrlW and reads the geo.json response via InternetReadFile. After receiving the answer, the malware compares it with the list of Commonwealth of Independent States (CIS) country codes. Suppose the victim country code matches one of the following countries. In that case, the payload is not executed, and the malware ceases to exist. Here's a list of countries* where the ransomware will not work:

  • RU - Russia
  • BY - Belarus
  • KZ - Kazakhstan
  • UZ - Uzbekistan
  • TJ - Tajikistan
  • KG - Kyrgyzstan
  • AZ - Azerbaijan
  • UA - Ukraine**
  • AM - Armenia
  • SY - Syria
* the execution continues if the country does not match the countries on this list. ** After the russian war in Ukraine, cybercriminals excluded Ukrainian ips from the list of untouchables.
The authors of STOP/Djvu have Russian roots. The frauds use the Russian language and Russian words written in English and the domains registered through Russian domain-registration companies.

The malware creates a folder inside the %\AppData\Local\% directory. The new file is named using a randomly generated Version4 UUID using the UuidCreate and UuidToStringW functions. When a folder is created using CreateDirectoryW, the malware creates a copy of itself inside that location.

Protect folder that attempts to run DJVU with elevated permissions

Next, the malware uses "icacls.exe," a Windows command-line utility tool, to protect this folder with a command that attempts to run DJVU with elevated permissions. It then uses the ShellExecute APIs with the verb "runas" to try to rerun itself with administrator rights. Depending on the setup of the victim's machine, an account control (UAC) dialog box may be displayed, asking the system to grant administrator rights to the process. If the malware runs with these privileges, it allows encrypting of more critical files on the system.

try to rerun itself with administrator rights

The payload is launched with elevated permissions with "-Admin IsNotAutoStart IsNotTask" arguments. STOP/Djvu ransomware then creates persistence through the job scheduler using schtasks.exe as known methods of creating tasks, which means they are more likely to be detected.

Schtasks.exe executable

The payload then extracts the MAC address of the network card and creates an MD5 hash of that address. Does it then use that MD5 hash to connect to the malicious C2 system via the URL: hxxps[:]//acacaca[.]org/d/test1/get.php?pid={MAC Address_MD5}&first=true. The response to this message is stored in the file "Bowsakkdestx.txt", located in the %\AppData\Local\% directory.

Bowsakkdestx.txt

The value stored in this file is the public key and identifier. The threat also saves the identifier in the newly created file C:\SystemID\PersonalID.txt.

PersonalID.txt

Once the keys are saved, the malware also binds to two additional domains, one of which has been identified as serving the RedLine infostealer since November 2022. These urls are:

Redline infostealer

To further save, the malware creates a registry startup key called "SysHelper" under the registry path "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run".

SysHelper

Then, before the encryption process begins, the malware creates a mutex named "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}". Ransomware often creates mutexes to avoid double encryption, making the file unrecoverable. The malware also contains a hard-coded public key and identifier.

1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D

During the encryption process, the Djvu Ransomware skips the following files and extensions:
  • ntuser.dat
  • ntuser.dat.LOG1
  • ntuser.dat.LOG2
  • ntuser.pol
  • *.regtrans-ms
  • *.sys
  • *.ini
  • *.blf
  • *.bat
  • *.lnk

The STOP/Djvu ransomware also contains an exclusion list referring to primary folders that are part of the Windows operating system. Additionally, the malware searches for a hard-coded file name with a .jpg extension. However, the purpose of searching for this file needs to be clarified. Finally, during the encryption process, the malware saves the _readme.txt file in the root of the C:\ drive.

Recover Files Encrypted by STOP/Djvu

You can, of course, pay the scammers a ransom, but they are scammers, so there is no guarantee that you will get the decryption key. Furthermore, fraudsters may ignore you after payment and have nothing to do but look for an alternative way to recover your files. There are certain restrictions on what files can be recovered. So you can adequately decrypt information encrypted with offline keys that Emsisoft Decryptor developers have. However, you cannot decrypt files with ONLINE ID, and some latest STOP/DJVU forms developed after August 2019. As for older versions, files can also be decrypted using the encrypted/source file pairs provided on the STOP Djvu Submission portal.

How to avoid becoming infected?

While there is no golden rule regarding avoiding ransomware, you should follow specific rules to keep your files safe and your computer system clean. Protecting against ransomware is important because crypto-based computer viruses can permanently damage your files. The following are some tips to help prevent a ransomware infection or to help mitigate the effects:

Back up your valuable data

A backup is the best way to protect your data. So back up your data to a separate medium that won't be connected to your system. Of course, you don't need to back up everything - just the most essential files. For example, some ransomware viruses can corrupt files stored in online data clouds, so an external hard drive lying in a drawer will be the best option.

Always keep your software and OS up to date

Having an up-to-date system and software means having the best possible versions at the time. Using outdated software increases the chances of your PC being hacked or infected. Software developers release updates to fix bugs, vulnerabilities, and bugs, and installing them means improving weaknesses in the software and preventing hackers from exploiting them.

Be careful online

Being cautious online helps prevent ransomware attacks. We suggest following these tips to recognize and avoid dangerous content online:

  • Don't open emails from people you wouldn't expect to write to you.
  • Avoid attractive but suspicious links and ads.
  • Take your time.
  • Use strong passwords.
  • Stay away from torrents that advertise hacked software or keygens.

Use reliable security software

Installing a reliable security tool is the most effective way to prevent ransomware attacks. Equally important is to update your security software regularly. In addition, you should choose robust antivirus software.

STOP/Djvu Ransomware IoC

Ransom.Win32.STOP.tr9f24cff00ff55730e61d9fd9a182f92f272735ba6ce55bc93bdc7ea24424dc42
Ransom.Win32.STOP.tr!nfe2090450e9761da52fcd037934553d061fd0b395ad260dff3b81c30c202a10c
Ransom.Win32.STOP.cae6c6ad948e9ad054f789500a6fda9485c861af7b48ae04001a8fc555ac0b3be5
Ransom.U.STOP.tre3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5
Ransom.Win32.STOP.tr!n2f7bc154ff7f15135f69a43f738760b3a45b677a36b734d3e9e0c1c7cd897849
Ransom.Win32.STOP.dg!se518564bd534e4e7aa468cda99bc33a82a58d7f36af31dba86db564f7f31925c36e6e0
Ransom.Win32.STOP.tr!n9737047a6cf9c18ad4eb8eff4d7b090453dd69d1b64f0c2ffe7a5deab121e637
Ransom.U.STOP.bote18bc2317c31573d38c7c5efccee627f756d98ce13b635747a362dd7369f611d
Ransom.Win32.STOP.tr235af59d3bc2171c77c0dabcb5add1ef12de8980cf1e700277288982e81eb47c
Ransom.Win32.STOP.tr97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98