SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stop (Back to overview)

STOP

aka: KeyPass, Djvu

STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.

References
2023-05-26ZAYOTEMEmirhan KESKİN
@online{keskin:20230526:stop:4b93bad, author = {Emirhan KESKİN}, title = {{Stop Ransomware}}, date = {2023-05-26}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view}, language = {English}, urldate = {2023-05-30} } Stop Ransomware
STOP
2022-09-29Team CymruS2 Research Team
@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-04-01Bleeping ComputerLawrence Abrams
@online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-01-19GdataKarsten Hahn
@online{hahn:20220119:malware:293c00c, author = {Karsten Hahn}, title = {{Malware vaccines can prevent pandemics, yet are rarely used}}, date = {2022-01-19}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/01/malware-vaccines}, language = {English}, urldate = {2023-03-24} } Malware vaccines can prevent pandemics, yet are rarely used
Emotet STOP
2021-12-22AnkuraVishal Thakur
@online{thakur:20211222:stop:8b85742, author = {Vishal Thakur}, title = {{The ‘STOP’ Ransomware Variant}}, date = {2021-12-22}, organization = {Ankura}, url = {https://angle.ankura.com/post/102het9/the-stop-ransomware-variant}, language = {English}, urldate = {2021-12-23} } The ‘STOP’ Ransomware Variant
STOP
2021-12-20Vishal Thakur
@online{thakur:20211220:defendagainst:2c3f9a6, author = {Vishal Thakur}, title = {{DefendAgainst: Ransomware ‘STOP’/DJVU}}, date = {2021-12-20}, url = {https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b}, language = {English}, urldate = {2021-12-31} } DefendAgainst: Ransomware ‘STOP’/DJVU
STOP
2021-12-20Github (vithakur)Vishal Thakur
@online{thakur:20211220:stopdjvu:5693b43, author = {Vishal Thakur}, title = {{STOP/DJVU Ransomware IOC List}}, date = {2021-12-20}, organization = {Github (vithakur)}, url = {https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list}, language = {English}, urldate = {2021-12-31} } STOP/DJVU Ransomware IOC List
STOP
2021-10-31CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20211031:detailed:290dacf, author = {CyberMasterV}, title = {{A detailed analysis of the STOP/Djvu Ransomware}}, date = {2021-10-31}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/}, language = {English}, urldate = {2021-11-08} } A detailed analysis of the STOP/Djvu Ransomware
STOP
2021-06-21cyblecybleinc
@online{cybleinc:20210621:djvu:7e58962, author = {cybleinc}, title = {{DJVU Malware of STOP Ransomware Family Back with New Variant}}, date = {2021-06-21}, organization = {cyble}, url = {https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/}, language = {English}, urldate = {2021-06-24} } DJVU Malware of STOP Ransomware Family Back with New Variant
STOP
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-11Kaspersky LabsKaspersky
@online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } Story of the year 2019: Cities under ransomware siege
Scarab Ransomware STOP
2019-11-21G DataKarsten Hahn, Stefan Karpenstein
@online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } STOP Ransomware: Finger weg von illegalen Software-Downloads
STOP
2019-01-15Bleeping ComputerLawrence Abrams
@online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles
STOP
2018-08-13Kaspersky LabsOrkhan Mamedov, Fedor Sinitsyn
@online{mamedov:20180813:keypass:154cf0f, author = {Orkhan Mamedov and Fedor Sinitsyn}, title = {{KeyPass ransomware}}, date = {2018-08-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/keypass-ransomware/87412/}, language = {English}, urldate = {2019-12-20} } KeyPass ransomware
STOP
Yara Rules
[TLP:WHITE] win_stop_auto (20230808 | Detects win.stop.)
rule win_stop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.stop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 8d45e0 50 ffd6 85c0 75e2 6a64 }
            // n = 7, score = 600
            //   6a00                 | push                0
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   75e2                 | jne                 0xffffffe4
            //   6a64                 | push                0x64

        $sequence_1 = { ffd0 5d c3 8b0d???????? 33d2 85c9 }
            // n = 6, score = 600
            //   ffd0                 | call                eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b0d????????         |                     
            //   33d2                 | xor                 edx, edx
            //   85c9                 | test                ecx, ecx

        $sequence_2 = { 57 6a00 8bd9 6a00 6a12 ff33 }
            // n = 6, score = 600
            //   57                   | push                edi
            //   6a00                 | push                0
            //   8bd9                 | mov                 ebx, ecx
            //   6a00                 | push                0
            //   6a12                 | push                0x12
            //   ff33                 | push                dword ptr [ebx]

        $sequence_3 = { 56 57 6a00 8bd9 6a00 6a12 }
            // n = 6, score = 600
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a00                 | push                0
            //   8bd9                 | mov                 ebx, ecx
            //   6a00                 | push                0
            //   6a12                 | push                0x12

        $sequence_4 = { ff750c ff7508 ffd0 5d c3 8b0d???????? }
            // n = 6, score = 600
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b0d????????         |                     

        $sequence_5 = { ff15???????? 50 e8???????? c745fc00000000 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_6 = { 75e2 6a64 ff15???????? ffd3 }
            // n = 4, score = 600
            //   75e2                 | jne                 0xffffffe4
            //   6a64                 | push                0x64
            //   ff15????????         |                     
            //   ffd3                 | call                ebx

        $sequence_7 = { 68???????? 6a00 6a00 ff15???????? 33c9 894604 85c0 }
            // n = 7, score = 600
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   85c0                 | test                eax, eax

        $sequence_8 = { 6a00 ff15???????? 33c9 894604 }
            // n = 4, score = 600
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_9 = { 6a00 ff15???????? 33c9 894604 85c0 5e 0f95c1 }
            // n = 7, score = 600
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   85c0                 | test                eax, eax
            //   5e                   | pop                 esi
            //   0f95c1               | setne               cl

    condition:
        7 of them and filesize < 6029312
}
Download all Yara Rules