{
	"id": "2a2b5589-2ac8-4568-b854-0514a14f8e6a",
	"created_at": "2026-04-06T00:07:41.938319Z",
	"updated_at": "2026-04-10T03:20:54.200841Z",
	"deleted_at": null,
	"sha1_hash": "dd764285c402c19f9cffede9a011f9d656efd0a0",
	"title": "The ‘STOP’ Ransomware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2547830,
	"plain_text": "The ‘STOP’ Ransomware Variant\r\nBy Key ContactsAnkura ConsultingEmail Ankura Consulting\r\nArchived: 2026-04-05 16:03:22 UTC\r\nIn recent weeks, we have observed a spike in infections involving the STOP ransomware variant. STOP is also\r\nknown as DJVU by other vendors in the industry. In this article, we’ve looked at the latest version circulating in\r\nthe wild. We will look at some of the main characteristics of this malware variant, along with detections that can\r\nbe used to prevent infection and IOCs that we were able to extract during analysis.\r\nThe STOP ransomware has been around for some time, dating back to 2019. The latest version has been found to\r\nbe distributed broadly in the past few weeks. Like the ones in the past, this variant is a portable executable that\r\nuses a public key to encrypt data on the victim’s machine and drops a ransom note in folder directories as it goes\r\nthrough the entire file system encrypting files using the Salsa20 encryption algorithm. The threat actors behind\r\nSTOP have gone for a flat rate of USD $980 to provide the decryption keys to victims and have also offered a\r\n‘discounted’ rate of USD $490 if the victims contact them within 72 hours of the attack occurring. This tactic is\r\nconsistent with what has been observed in the past for this ransomware group.\r\nBased on the tactics and techniques used by the malware, the threat actors behind the variant are likely from the\r\nRussian region as the malware avoids encryption explicitly on systems geo-located in or near Russia.\r\nFigure 1: Quick Snapshot of STOP Ransomware\r\nMitigation\r\nThis section provides information that can be used to prevent infection by the STOP ransomware. We have\r\nincluded detections, IOC list, and YARA Rules that can be used to defend against this threat.\r\nYARA Rule\r\nThis YARA Rule can be used to detect STOP Ransomware. Download the entire ruleset here.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 1 of 11\n\nFigure 2: YARA Ruleset for STOP Ransomware\r\nDetections\r\nThe following figure has the information that can be used to create detections for this malware. Download the\r\nentire list here.\r\nThe following strings are from the unpacked malware, and these can be found in memory during and after the\r\nmalware has been fully executed. This information can be used to create detections for EDR tools that can access\r\nand read memory and take actions based on detection rules applied.\r\nFigure 3: Detections\r\nIOC List\r\nDownload the entire list here.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 2 of 11\n\nFigure 4: IOC list\r\nExecution\r\nOnce the STOP ransomware executes, it attempts to make a few network connections over the Internet for various\r\npurposes, such as; geo-checking, key retrieval, and further infection by downloading different malware. First, let’s\r\nlook at the start of the execution of this malware.\r\nFigure 5:  Malware Entry-point\r\nUpon execution, the malware copies itself to the ‘C:Users[username]AppDataLocal[GUID]’ directory on disk and\r\ntries to execute with escalated privileges, as shown in the figures below.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 3 of 11\n\nFigure 6: Malware copies itself to a different location\r\nFigure 7: Spawning new process with elevated privileges\r\nThe malware then attempts to connect over the Internet to “https://api.2ip.ua/geo.json” to verify the victim’s\r\ngeolocation. This link leads to a Russian site (screenshot below) that provides geolocation services based on\r\npublic Internet IP addresses which the malware uses to ascertain the location of its victims. The malware has a\r\nhard-coded country codes list that is checked before it continues executing on the victim’s system and will avoid\r\nencrypting victims within these countries.\r\nFigure 8: Geo-location service used by the malware\r\nThe site also offers an API-based service that the malware uses to determine the geolocation of the victim\r\nmachines.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 4 of 11\n\nFigure 9: The specific API-based service the malware uses\r\nThe country code list can be seen in the figure below, showing the codes in memory during execution.\r\nFigure 10: Country codes of locations this malware avoids\r\nNext, the malware tries to connect to a command and control URI to get the public key for encryption. As we can\r\nsee in the figure below, it sends a request to this URI with a PID created for the victim.\r\nFigure 11: URI loaded into the Stack for processing\r\nFigure 12: Connection to the C2 for public key\r\nOnce the request is successful, the malware uses the public key with the ID to encrypt the victim’s data.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 5 of 11\n\nFigure 13: Public Key for encryption served by the C2\r\nThe malware uses a standard encryption sequence, calling in the functions required to encrypt data from start to\r\nfinish. The complete sequence can be seen in the figure below, in the order of called functions.\r\nFigure 14: Encryption Sequence of function calls\r\nCSP – Cryptography Service Provider\r\nThe malware queries the Registry on the victim machine to set the CSP and CSP type. Note that type shown in the\r\nfigure below is ‘Type 001’ which is the ‘RSA Full’ provider.\r\nFigure 15: Malware query to Registry for the Type of CSP\r\nThe malware uses the Registry to set the provider type and subsequently the actual provider, which in this case\r\nhappens to be RSA Full.\r\nRegOpenKey\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 6 of 11\n\nFigure 16: Registry functions used to determine the CSP\r\nRegOpenKeyExA\r\nNext, the malware queries the Registry to determine the actual CSP as can be seen in the figure below.\r\nFigure 17: The absolute Registry path passing through the Registers\r\nFigure 18: The CSP highlighted in the Registry\r\nFigure 19: DLL image path to be called for the CSP\r\nThe malware uses the public key obtained from the command and control server to start the process of encryption\r\non the victim’s system.\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 7 of 11\n\nFigure 20: Second function to be called in the Encryption Sequence\r\nFigure 21: Public key loaded\r\nOnce the entire encryption sequence is completed for a directory, the final step is to write a ransom note to the\r\ndirectory with instructions on how to pay the ransom.\r\nFigure 22: Ransom note ‘write’ initiated\r\nThe figure below shows the ransom note as strings being passed onto the Stack before it is written to the disk.\r\nFigure 23: Ransom note loaded into the Stack\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 8 of 11\n\nFinally, the ransom note is written as a ‘txt’ file to the disk. This process is repeated for all directories in which the\r\nmalware encrypts data. The figure below shows the newly created ransom note “_readme.txt”.\r\nFigure 24: Ransom note file written to the current directory\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 9 of 11\n\nThe ransom note has the instructions on how the victims can pay to get the decryption key and provides a unique\r\nID that the victim needs to use to get the decryption key for their machine. There is also a link to a demo video\r\nshowing how the decryption tool works. The note also provides a couple of email addresses for the victims to\r\ncontact the ransomware group if needed.\r\nFigure 25: Ransom note with instructions on next steps\r\nThis version of the STOP ransomware variant encrypts the file and replaces the file-extensions to “.shgv”, as seen\r\nin the figure below.\r\nFigure 26: Files successfully encrypted\r\nDownloader Module\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 10 of 11\n\nFigure 27: Downloaded malware – Vidar Stealer\r\nThis downloaded PE is a variant of the Vidar malware family.\r\nVidar Stealer is malware designed to steal information, mainly distributed as spam mail or cracked versions of\r\ncommercial software and keygen programs. When installed, data such as infected device information, account,\r\nand history recorded in the browser is collected and sent to a command and control server.\r\nThe group behind the development or distribution (or both) of STOP ransomware may be working with the group\r\nresponsible for developing the Vidar malware.\r\nConclusion\r\nSTOP ransomware has been around for quite some time now. Early occurrences of infections by this ransomware\r\ncan be traced back to 2019.\r\nCompared to some other ransomware families, the execution standard is low and it’s clear that this ransomware\r\nmodel is affiliation-leaning (working with other malware groups). We were able to link this malware to a different\r\nmalware, the Vidar Stealer, which has been the case for quite some time.\r\nThe encryption is straightforward, with the threat actors not bothering to create their encryption algorithm or\r\ndeploying any additional modules other than a downloader for a separate malware. The malware uses the Salsa20\r\nalgorithm for encryption. It is capable of both online and offline encryption.\r\nThis ransomware avoids infecting victims in and near Russia.\r\nThe ransomware seems to be targeted towards individuals or small businesses at best, as the asking price for the\r\ndecryption key is not that high. They even offer an ‘early bird’ discount to top it all off.\r\nDeep Analysis of Vidar Stealer – Sojun Ryu\r\nYAYA ruleset for STOP Ransomware – Vishal Thakur\r\nDetections list for STOP Ransomware – Vishal Thakur\r\nIOC list of STOP Ransomware – Vishal Thakur\r\n© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura\r\nConsulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a\r\nlaw firm and cannot provide legal advice.\r\nSource: https://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nhttps://angle.ankura.com/post/102het9/the-stop-ransomware-variant\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://angle.ankura.com/post/102het9/the-stop-ransomware-variant"
	],
	"report_names": [
		"the-stop-ransomware-variant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434061,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd764285c402c19f9cffede9a011f9d656efd0a0.pdf",
		"text": "https://archive.orkl.eu/dd764285c402c19f9cffede9a011f9d656efd0a0.txt",
		"img": "https://archive.orkl.eu/dd764285c402c19f9cffede9a011f9d656efd0a0.jpg"
	}
}