DefendAgainst: Ransomware ‘STOP’/DJVU
By Vishal Thakur
Published: 2021-12-23 · Archived: 2026-04-05 20:28:17 UTC
aka DJVU
Originally published here.
In recent weeks, we have observed a spike in infections involving the STOP ransomware variant. STOP is also
known as DJVU by other vendors in the industry. In this article, we’ve looked at the latest version circulating in
the wild. We will look at some of the main characteristics of this malware variant, along with detections that can
be used to prevent infection and IOCs that we were able to extract during analysis.
Introduction
The STOP ransomware has been around for some time, dating back to 2019. The latest version has been found to
be distributed broadly in the past few weeks. Like the ones in the past, this variant is a portable executable that
uses a public key to encrypt data on the victim’s machine and drops a ransom note in folder directories as it goes
through the entire file system encrypting files using the Salsa20 encryption algorithm. The threat actors behind
STOP have gone for a flat rate of USD 980 to provide the decryption keys to victims and have also offered a
‘discounted’ rate of USD 490 if the victims contact them within 72 hours of the attack occurring. This tactic is
consistent with what has been observed in the past for this ransomware group.
Based on the tactics and techniques used by the malware, it indicates that the threat actors behind it are likely from
the Russian region. The malware avoids encryption explicitly on systems geo-located in or near Russia.
Press enter or click to view image in full size
Figure 1: Quick Snapshot of STOP Ransomware
Mitigation
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 1 of 12

This section provides information that can be used to prevent infection by the STOP ransomware. We have
included detections, IOC list and YARA Rules that can be used to defend against this threat.
YARA Rule
This YARA Rule can be used to detect STOP Ransomware. Download the entire ruleset here.
Figure 2: YARA Ruleset for STOP Ransomware
Detections
The following figure has the information that can be used to create detections for this malware. Download the
entire list here.
Get Vishal Thakur’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The following strings are from the unpacked malware, and these can be found in memory during and after the
malware has been fully executed. This information can be used to create detections for EDR tools that can access
and read memory and take actions based on detection rules applied.
Press enter or click to view image in full size
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 2 of 12

Figure 3: Detections
IOC List
Download the entire list here.
Press enter or click to view image in full size
Figure 4: IOC list
Execution
Once the STOP ransomware executes, it attempts to make a few network connections over the Internet for various
purposes, such as; geo-checking, key retrieval, and further infection by downloading different malware. First, let’s
look at the start of the execution of this malware.
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 3 of 12

Figure 5: Malware Entry-point
Upon execution, the malware copies itself to the
‘C:\Users\[username]\AppData\Local\[GUID]’ directory on disk and tries to execute with escalated privileges, as
shown in the figures below.
Figure 6: Malware copies itself to a different location
Press enter or click to view image in full size
Figure 7: Spawning new process with elevated privileges
The malware then attempts to connect over the Internet to “https://api.2ip.ua/geo.json” to verify the victim’s
geolocation. This link leads to a Russian site (screenshot below) that provides geolocation services based on
public Internet IP addresses which the malware uses to ascertain the location of its victims. The malware has a
hard-coded country codes list that is checked before it continues executing on the victim’s system and will avoid
encrypting victims within these countries.
Press enter or click to view image in full size
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 4 of 12

Figure 8: Geo-location service used by the malware
The site also offers an API-based service that the malware uses to determine the geolocation of the victim
machines.
Press enter or click to view image in full size
Figure 9: The specific API-based service the malware uses
The country code list can be seen in the figure below, showing the codes in memory during execution.
Figure 10: Country codes of locations this malware avoids
Next, the malware tries to connect to a command and control URI to get the public key for encryption. As we can
see in the figure below, it sends a request to this URI with a PID created for the victim.
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 5 of 12

Figure 11: URI loaded into the stack for processing
Press enter or click to view image in full size
Figure 12: Connection to the C2 for public key
Once the request is successful, the malware uses the public key with the ID to encrypt the victim’s data.
Press enter or click to view image in full size
Figure 13: Public Key for encryption served by the C2
The malware uses a standard encryption sequence, calling in the functions required to encrypt data from start to
finish. The complete sequence can be seen in the figure below, in the order of called functions.
Press enter or click to view image in full size
Figure 14: Encryption Sequence of function calls
CSP — Cryptography Service Provider
The malware queries the Registry on the victim machine to set the CSP and CSP type. Note that type shown in the
figure below is ‘Type 001’ which is the ‘RSA Full’ provider.
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 6 of 12

Press enter or click to view image in full size
Figure 15: Malware query to Registry for the Type of CSP
The malware uses the Registry to set the provider type and subsequently the actual provider, which in this case
happens to be RSA Full.
RegOpenKey
Press enter or click to view image in full size
Figure 16: Registry functions used to determine the CSP
RegOpenKeyExA
Next, the malware queries the Registry to determine the actual CSP as can be seen in the figure below.
Press enter or click to view image in full size
Figure 17: The absolute Registry path passing through the Registers
Figure 18: The CSP highlighted in the Registry
Figure 19: DLL image path to be called for the CSP
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 7 of 12

The malware uses the public key obtained from the command and control server to start the process of encryption
on the victim’s system.
Figure 20: Second function to be called in the Encryption Sequence
Press enter or click to view image in full size
Figure 21: Public key loaded
Once the entire encryption sequence is completed for a directory, the final step is to write a ransom note to the
directory with instructions on how to pay the ransom.
Figure 22: Ransom note ‘write’ initiated
The figure below shows the ransom note as strings being passed onto the stack before it is written to the disk.
Press enter or click to view image in full size
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 8 of 12

Figure 23: Ransom note loaded into the Stack
Finally, the ransom note is written as a ‘txt’ file to the disk. This process is repeated for all directories in which the
malware encrypts data. The figure below shows the newly created ransom note “_readme.txt”.
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 9 of 12

Figure 24: Ransom note file written to the current directory
The ransom note has the instructions on how the victims can pay to get the decryption key and provides a unique
ID that the victim needs to use to get the decryption key for their machine. There is also a link to a demo video
showing how the decryption tool works. The note also provides a couple of email addresses for the victims to
contact the ransomware group if needed.
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 10 of 12

Press enter or click to view image in full size
Figure 25: Ransom note with instructions on next steps
This version of the STOP ransomware variant encrypts the file and replaces the file-extensions to “.shgv”, as seen
in the figure below.
Figure 26: Files successfully encrypted
Downloader Module
Aside from performing common ransomware activities, this malware also tries to download and execute other
malware:
Press enter or click to view image in full size
Figure 27: Downloaded malware — Vidar Stealer
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 11 of 12

This downloaded PE is a variant of the Vidar malware family.
Vidar Stealer is malware designed to steal information, mainly distributed as spam mail or cracked versions of
commercial software and keygen programs. When installed, data such as infected device information, account,
and history recorded in the browser is collected and sent to a command and control server.
The group behind the development or distribution (or both) of STOP ransomware may be working with the group
responsible for developing the Vidar malware.
Conclusion
STOP ransomware has been around for quite some time now. Early occurrences of infections by this ransomware
can be traced back to 2019.
Compared to some other ransomware families, the execution standard is low and it’s clear that this ransomware
model is affiliation-leaning (working with other malware groups). We were able to link this malware to a different
malware, the Vidar Stealer, which has been the case for quite some time.
The encryption is straightforward, with the threat actors not bothering to create their encryption algorithm or
deploying any additional modules other than a downloader for a separate malware. The malware uses the Salsa20
algorithm for encryption. It is capable of both online and offline encryption.
This ransomware avoids infecting victims in and near Russia.
The ransomware seems to be targeted towards individuals or small businesses at best, as the asking price for the
decryption key is not that high. They even offer an ‘early bird’ discount to top it all off.
References
Deep Analysis of Vidar Stealer — Sojun Ryu
YAYA ruleset for STOP Ransomware — Vishal Thakur
Detections list for STOP Ransomware — Vishal Thakur
IOC list of STOP Ransomware — Vishal Thakur
Intezer Analysis
Source: https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b
Page 12 of 12