STOP/Djvu Ransomware - What is it?

STOP/Djvu Ransomware

September 06, 2024

You're not alone if your JPEG images are encrypted by STOP/Djvu ransomware. Many people face these issues with their photos and videos and victims cannot access them after ransomware attacks.

What is STOP/Djvu Ransomware?

Ransomware is the most unpleasant thing you can encounter in cyberspace. Not only do they often ask for colossal sums of money, but even after paying the ransom, it is only sometimes possible to decrypt these files correctly.

STOP/Djvu is just one of many threats that share common characteristics and origins with STOP ransomware, but some methods of affecting file types and encrypting file extensions differ. Ransomware got its nickname because one of the first integrations of the program added the *.djvu extension to encrypted files. However, it is worth noting that *.djvu is a legitimate file format that AT&T developed for storing scanned documents, similar to the Adobe *.pdf format.

Received STOP/Djvu Samples

How it works?

Although the original STOP ransomware was discovered back in February 2018, it has since evolved, and its family of clones and offshoots has grown. The new DJVU variants include several layers of obfuscation, which aim to slow verification by researchers as well as automated analysis tools. STOP/DJVU uses RSA encryption, one of the most commonly used ransomware groups, focusing on Windows operating systems. There are two key options, offline and online keys.

As previously mentioned, there are about 600 STOP/DJVU variants. Hence, extensions added to the encrypted files are different among them: .hlas, .qual, .waqa, .watz, .veza, .vehu, .vepi, .paaa, .qeza, .qehu, .qepi, and others. After STOP/DJVU invades the system, it automatically downloads various programs that help the ransomware encrypt all the files without interruption. At the end of the encryption, a text file is left with instructions for the victim to contact the group to pay the ransom. Unfortunately, there is no guarantee that you can restore your files after you pay the ransom.

STOP/Djvu Ransom Note: "_readme.txt"

Ransom note is the same for the whole ransomware family. In fact, it is one of the main signs of to which family the certain ransomware belongs. Here is the typical note for STOP/Djvu family:

How does STOP/Djvu infection happen?

Since DJVU has no predetermined infection method, the infection vector of DJVU can vary. Because of this, attackers have a reasonably flexible approach, making it difficult for defenders to predict and detect initial signs of compromise. For example, spam emails using corrupted attachments were the primary method of spreading ransomware. However, STOP/Djvu can masquerade as a wide range of file types on pirate torrent sites.

Pirate software and torrents

The most common ways to catch this contagion are attempts to download hacked software with the license check disabled. However, since antivirus almost always react to keygens, the description of such programs usually says, "disable antivirus software during installation". Thus, the user himself gives the green light to the ransomware.

Fake .exe

Another popular infection route is through fake file extensions. For example, inexperienced users trying to download some file, such as a word document, may come across a file with a double *.dox.exe extension. In this case, the last extension will be the real one, which the user most likely won't even notice, as the file icon will be identical to the actual .dox file. Therefore, keeping an eye on the extensions, you download to your computer is essential.

Malicious scripts

STOP/Djvu ransomware can also spread through malicious scripts. Usually, such scripts can be found on suspicious sites. For example, when you visit many porn sites on unsafe networks or share files using these platforms, sooner or later it will infect your computer sooner or later. In addition, when you click on misleading pop-ups or banners on these platforms, it can lead to frequent redirects of your browser to the site. Finally, when you sign up for alerts or push notifications on these platforms, the malware will gain access to your computer.

Spam

Criminals send spam emails with fake information in the header, leading the victim to believe it was sent by a shipping company such as DHL or FedEx. The email tells the victim that they tried to deliver the package to you but were unsuccessful. Sometimes emails claim to be notices of a shipment you made. However, the email contains an attached infected file. Opening it will not end well.

Also, DJVU often collaborates with other malware: Redline, Vidar, Amadey, DcRat, etc. For example, it can deploy information stealers on the victim's device before encrypting it. This relationship with other malware families makes DJVU even more destructive. In addition, DJVU itself can be deployed as a payload of the SmokeLoader family of malware droppers.

Step by step STOP/Djvu execution

STOP/Djvu ransomware begins its execution chain with several levels of obfuscation designed to slow down the analysis of its code by threat analysts and automated sandboxes. DJVU's malicious activity begins when it re-protects the heap section for the executable file to load some encrypted shellcode contained in the starting Portable Executable (PE). This first stage of the shellcode is encrypted using the Tiny Encryption Algorithm (TEA). The malware authors made a separate effort to hide the encryption constants as an additional method of anti-analysis. This was probably done to avoid detection since malware usually uses the TEA algorithm.

This first shellcode stage then unpacks the second, encrypted using a basic XOR algorithm, where the key is changed using a predictable pseudorandom number generation algorithm. It is then loaded into memory using the more usual Virtual Alloc method. The second step of the shell code starts a new process using the same binary. Finally, it uses a process cleanup to inject an untangled copy of the malware into the new process. This is where the payload finally starts to work.

The threat's malicious activity begins by figuring out where the victim's device is territorially located. To do this, it checks the device's location using the GeoIP search service using the following GET request to api.2ip.ua/geo.json.

Next, the malware connects to this site using InternetOpenUrlW and reads the geo.json response via InternetReadFile. After receiving the answer, the malware compares it with the list of Commonwealth of Independent States (CIS) country codes. Suppose the victim country code matches one of the following countries. In that case, the payload is not executed, and the malware ceases to exist. Here's a list of countries* where the ransomware will not work:

The authors of STOP/Djvu have Russian roots. The frauds use the Russian language and Russian words written in English and the domains registered through Russian domain-registration companies.

The malware creates a folder inside the %\AppData\Local\% directory. The new file is named using a randomly generated Version4 UUID using the UuidCreate and UuidToStringW functions. When a folder is created using CreateDirectoryW, the malware creates a copy of itself inside that location.

Next, the malware uses "icacls.exe," a Windows command-line utility tool, to protect this folder with a command that attempts to run DJVU with elevated permissions. It then uses the ShellExecute APIs with the verb "runas" to try to rerun itself with administrator rights. Depending on the setup of the victim's machine, an account control (UAC) dialog box may be displayed, asking the system to grant administrator rights to the process. If the malware runs with these privileges, it allows encrypting of more critical files on the system.

The payload is launched with elevated permissions with "-Admin IsNotAutoStart IsNotTask" arguments. STOP/Djvu ransomware then creates persistence through the job scheduler using schtasks.exe as known methods of creating tasks, which means they are more likely to be detected.

The payload then extracts the MAC address of the network card and creates an MD5 hash of that address. Does it then use that MD5 hash to connect to the malicious C2 system via the URL: hxxps[:]//acacaca[.]org/d/test1/get.php?pid={MAC Address_MD5}&first=true. The response to this message is stored in the file "Bowsakkdestx.txt", located in the %\AppData\Local\% directory.

The value stored in this file is the public key and identifier. The threat also saves the identifier in the newly created file C:\SystemID\PersonalID.txt.

Once the keys are saved, the malware also binds to two additional domains, one of which has been identified as serving the RedLine infostealer since November 2022. These urls are:

To further save, the malware creates a registry startup key called "SysHelper" under the registry path "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run".

Then, before the encryption process begins, the malware creates a mutex named "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}". Ransomware often creates mutexes to avoid double encryption, making the file unrecoverable. The malware also contains a hard-coded public key and identifier.

The STOP/Djvu ransomware also contains an exclusion list referring to primary folders that are part of the Windows operating system. Additionally, the malware searches for a hard-coded file name with a .jpg extension. However, the purpose of searching for this file needs to be clarified. Finally, during the encryption process, the malware saves the _readme.txt file in the root of the C:\ drive.

Recover Files Encrypted by STOP/Djvu

You can, of course, pay the scammers a ransom, but they are scammers, so there is no guarantee that you will get the decryption key. Furthermore, fraudsters may ignore you after payment and have nothing to do but look for an alternative way to recover your files. There are certain restrictions on what files can be recovered. So you can adequately decrypt information encrypted with offline keys that Emsisoft Decryptor developers have. However, you cannot decrypt files with ONLINE ID, and some latest STOP/DJVU forms developed after August 2019. As for older versions, files can also be decrypted using the encrypted/source file pairs provided on the STOP Djvu Submission portal.

How to avoid becoming infected?

While there is no golden rule regarding avoiding ransomware, you should follow specific rules to keep your files safe and your computer system clean. Protecting against ransomware is important because crypto-based computer viruses can permanently damage your files. The following are some tips to help prevent a ransomware infection or to help mitigate the effects:

Back up your valuable data

A backup is the best way to protect your data. So back up your data to a separate medium that won't be connected to your system. Of course, you don't need to back up everything - just the most essential files. For example, some ransomware viruses can corrupt files stored in online data clouds, so an external hard drive lying in a drawer will be the best option.

Always keep your software and OS up to date

Having an up-to-date system and software means having the best possible versions at the time. Using outdated software increases the chances of your PC being hacked or infected. Software developers release updates to fix bugs, vulnerabilities, and bugs, and installing them means improving weaknesses in the software and preventing hackers from exploiting them.

Be careful online

Being cautious online helps prevent ransomware attacks. We suggest following these tips to recognize and avoid dangerous content online:

• Don't open emails from people you wouldn't expect to write to you.
• Avoid attractive but suspicious links and ads.
• Take your time.
• Use strong passwords.
• Stay away from torrents that advertise hacked software or keygens.

Use reliable security software

Installing a reliable security tool is the most effective way to prevent ransomware attacks. Equally important is to update your security software regularly. In addition, you should choose robust antivirus software.

STOP/Djvu Ransomware IoC