# The ‘STOP’ Ransomware Variant **[angle.ankura.com/post/102het9/the-stop-ransomware-variant](https://angle.ankura.com/post/102het9/the-stop-ransomware-variant)** Vishal Thakur In recent weeks, we have observed a spike in infections involving the STOP ransomware variant. STOP is also known as DJVU by other vendors in the industry. In this article, we’ve looked at the latest version circulating in the wild. We will look at some of the main characteristics of this malware variant, along with detections that can be used to prevent infection and IOCs that we were able to extract during analysis. The STOP ransomware has been around for some time, dating back to 2019. The latest version has been found to be distributed broadly in the past few weeks. Like the ones in the past, this variant is a portable executable that uses a public key to encrypt data on the victim’s machine and drops a ransom note in folder directories as it goes through the entire file system encrypting files using the Salsa20 encryption algorithm. The threat actors behind STOP have gone for a flat rate of USD $980 to provide the decryption keys to victims and ----- have also offered a discounted rate of USD $490 if the victims contact them within 72 hours of the attack occurring. This tactic is consistent with what has been observed in the past for this ransomware group. Based on the tactics and techniques used by the malware, the threat actors behind the variant are likely from the Russian region as the malware avoids encryption explicitly on systems geo-located in or near Russia. _Figure 1: Quick Snapshot of STOP Ransomware_ ## Mitigation This section provides information that can be used to prevent infection by the STOP ransomware. We have included detections, IOC list, and YARA Rules that can be used to defend against this threat. ### YARA Rule This YARA Rule can be used to detect STOP Ransomware. Download the entire ruleset [here.](https://github.com/vithakur/Yara-rules/blob/main/ransomware/win_ransomware_stop.yar) _Figure 2: YARA Ruleset for STOP Ransomware_ ----- ### Detections The following figure has the information that can be used to create detections for this [malware. Download the entire list here.](https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/detections-memory) The following strings are from the unpacked malware, and these can be found in memory during and after the malware has been fully executed. This information can be used to create detections for EDR tools that can access and read memory and take actions based on detection rules applied. _Figure 3: Detections_ ### IOC List [Download the entire list here.](https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list) ----- _Figure 4: IOC list_ ## Execution Once the STOP ransomware executes, it attempts to make a few network connections over the Internet for various purposes, such as; geo-checking, key retrieval, and further infection by downloading different malware. First, let’s look at the start of the execution of this malware. _Figure 5: Malware Entry-point_ Upon execution, the malware copies itself to the ‘C:\Users\[username]\AppData\Local\ [GUID]’ directory on disk and tries to execute with escalated privileges, as shown in the figures below. _Figure 6: Malware copies itself to a different location_ _Figure 7: Spawning new process with elevated privileges_ ----- [The malware then attempts to connect over the Internet to https://api.2ip.ua/geo.json to](https://api.2ip.ua/geo.json) verify the victim’s geolocation. This link leads to a Russian site (screenshot below) that provides geolocation services based on public Internet IP addresses which the malware uses to ascertain the location of its victims. The malware has a hard-coded country codes list that is checked before it continues executing on the victim’s system and will avoid encrypting victims within these countries. _Figure 8: Geo-location service used by the malware_ The site also offers an API-based service that the malware uses to determine the geolocation of the victim machines. _Figure 9: The specific API-based service the malware uses_ The country code list can be seen in the figure below, showing the codes in memory during execution. ----- _Figure 10: Country codes of locations this malware avoids_ Next, the malware tries to connect to a command and control URI to get the public key for encryption. As we can see in the figure below, it sends a request to this URI with a PID created for the victim. _Figure 11: URI loaded into the Stack for processing_ _Figure 12: Connection to the C2 for public key_ Once the request is successful, the malware uses the public key with the ID to encrypt the victim's data. _Figure 13: Public Key for encryption served by the C2_ The malware uses a standard encryption sequence, calling in the functions required to encrypt data from start to finish. The complete sequence can be seen in the figure below, in the order of called functions. ----- _Figure 14: Encryption Sequence of function calls_ ## CSP – Cryptography Service Provider The malware queries the Registry on the victim machine to set the CSP and CSP type. Note that type shown in the figure below is 'Type 001' which is the 'RSA Full' provider. _Figure 15: Malware query to Registry for the Type of CSP_ The malware uses the Registry to set the provider type and subsequently the actual provider, which in this case happens to be RSA Full. ### RegOpenKey _Figure 16: Registry functions used to determine the CSP_ ### RegOpenKeyExA Next, the malware queries the Registry to determine the actual CSP as can be seen in the figure below. _Figure 17: The absolute Registry path passing through the Registers_ ----- _Figure 18: The CSP highlighted in the Registry_ _Figure 19: DLL image path to be called for the CSP_ The malware uses the public key obtained from the command and control server to start the process of encryption on the victim’s system. _Figure 20: Second function to be called in the Encryption Sequence_ _Figure 21: Public key loaded_ Once the entire encryption sequence is completed for a directory, the final step is to write a ransom note to the directory with instructions on how to pay the ransom. ----- _Figure 22: Ransom note 'write' initiated_ The figure below shows the ransom note as strings being passed onto the Stack before it is written to the disk. _Figure 23: Ransom note loaded into the Stack_ Finally, the ransom note is written as a ‘txt’ file to the disk. This process is repeated for all directories in which the malware encrypts data. The figure below shows the newly created ransom note “_readme.txt”. ----- ----- _Figure 24: Ransom note file written to the current directory_ The ransom note has the instructions on how the victims can pay to get the decryption key and provides a unique ID that the victim needs to use to get the decryption key for their machine. There is also a link to a demo video showing how the decryption tool works. The note also provides a couple of email addresses for the victims to contact the ransomware group if needed. _Figure 25: Ransom note with instructions on next steps_ This version of the STOP ransomware variant encrypts the file and replaces the fileextensions to “.shgv”, as seen in the figure below. _Figure 26: Files successfully encrypted_ ----- ## Downloader Module Aside from performing common ransomware activities, this malware also tries to download and execute other malware: _Figure 27: Downloaded malware - Vidar Stealer_ [This downloaded PE is a variant of the Vidar malware family.](https://malware.news/t/deep-analysis-of-vidar-stealer/49591) Vidar Stealer is malware designed to steal information, mainly distributed as spam mail or cracked versions of commercial software and keygen programs. When installed, data such as infected device information, account, and history recorded in the browser is collected and sent to a command and control server. The group behind the development or distribution (or both) of STOP ransomware may be working with the group responsible for developing the Vidar malware. ## Conclusion STOP ransomware has been around for quite some time now. Early occurrences of infections by this ransomware can be traced back to 2019. Compared to some other ransomware families, the execution standard is low and it’s clear that this ransomware model is affiliation-leaning (working with other malware groups). We were able to link this malware to a different malware, the Vidar Stealer, which has been the case for quite some time. The encryption is straightforward, with the threat actors not bothering to create their encryption algorithm or deploying any additional modules other than a downloader for a separate malware. The malware uses the Salsa20 algorithm for encryption. It is capable of both online and offline encryption. This ransomware avoids infecting victims in and near Russia. The ransomware seems to be targeted towards individuals or small businesses at best, as the asking price for the decryption key is not that high. They even offer an ‘early bird’ discount to top it all off. [Deep Analysis of Vidar Stealer - Sojun Ryu](https://medium.com/s2wblog/deep-analysis-of-vidar-stealer-ebfc3b557aed) [YAYA ruleset for STOP Ransomware - Vishal Thakur](https://github.com/vithakur/Yara-rules/blob/main/ransomware/win_ransomware_stop.yar) [Detections list for STOP Ransomware - Vishal Thakur](https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/detections-memory) ----- [IOC list of STOP Ransomware - Vishal Thakur](https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list) _© Copyright 2021. The views expressed herein are those of the author(s) and not_ _necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its_ _affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice._ -----