SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stop (Back to overview)

STOP Ransomware

aka: KeyPass, Djvu

STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2019-12-11Kaspersky LabsKaspersky
@online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } Story of the year 2019: Cities under ransomware siege
Scarab Ransomware STOP Ransomware
2019-11-21G DataKarsten Hahn, Stefan Karpenstein
@online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } STOP Ransomware: Finger weg von illegalen Software-Downloads
STOP Ransomware
2019-01-15Bleeping ComputerLawrence Abrams
@online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles
STOP Ransomware
2018-08-13Kaspersky LabsOrkhan Mamedov, Fedor Sinitsyn
@online{mamedov:20180813:keypass:154cf0f, author = {Orkhan Mamedov and Fedor Sinitsyn}, title = {{KeyPass ransomware}}, date = {2018-08-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/keypass-ransomware/87412/}, language = {English}, urldate = {2019-12-20} } KeyPass ransomware
STOP Ransomware
Yara Rules
[TLP:WHITE] win_stop_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_stop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 eb14 8bce 8d5902 668b01 }
            // n = 5, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   eb14                 | jmp                 0x16
            //   8bce                 | mov                 ecx, esi
            //   8d5902               | lea                 ebx, [ecx + 2]
            //   668b01               | mov                 ax, word ptr [ecx]

        $sequence_1 = { 50 ffd6 85c0 75e8 6a0a ff7304 }
            // n = 6, score = 300
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   75e8                 | jne                 0xffffffea
            //   6a0a                 | push                0xa
            //   ff7304               | push                dword ptr [ebx + 4]

        $sequence_2 = { 85c0 75e8 6a0a ff7304 }
            // n = 4, score = 300
            //   85c0                 | test                eax, eax
            //   75e8                 | jne                 0xffffffea
            //   6a0a                 | push                0xa
            //   ff7304               | push                dword ptr [ebx + 4]

        $sequence_3 = { 03f0 8d047550000000 50 6a40 ff15???????? }
            // n = 5, score = 300
            //   03f0                 | add                 esi, eax
            //   8d047550000000       | lea                 eax, [esi*2 + 0x50]
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_4 = { c7463800000000 66894628 837e2408 720b ff7610 e8???????? }
            // n = 6, score = 300
            //   c7463800000000       | mov                 dword ptr [esi + 0x38], 0
            //   66894628             | mov                 word ptr [esi + 0x28], ax
            //   837e2408             | cmp                 dword ptr [esi + 0x24], 8
            //   720b                 | jb                  0xd
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   e8????????           |                     

        $sequence_5 = { 56 8bf1 56 6a00 ff7508 }
            // n = 5, score = 300
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   56                   | push                esi
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_6 = { 83c404 33c0 c7463c07000000 c7463800000000 }
            // n = 4, score = 300
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   c7463c07000000       | mov                 dword ptr [esi + 0x3c], 7
            //   c7463800000000       | mov                 dword ptr [esi + 0x38], 0

        $sequence_7 = { 6aff 6a00 56 8d4c2424 }
            // n = 4, score = 300
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   56                   | push                esi
            //   8d4c2424             | lea                 ecx, [esp + 0x24]

        $sequence_8 = { 57 6a00 8bd9 6a00 6a12 ff33 }
            // n = 6, score = 300
            //   57                   | push                edi
            //   6a00                 | push                0
            //   8bd9                 | mov                 ebx, ecx
            //   6a00                 | push                0
            //   6a12                 | push                0x12
            //   ff33                 | push                dword ptr [ebx]

        $sequence_9 = { 6a00 ff15???????? 33c9 894604 85c0 5e }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   85c0                 | test                eax, eax
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 6029312
}
Download all Yara Rules