⚠️ Overview

STOP (also known as Djvu) is a ransomware family first observed in December 2017 by security researcher MalwareHunterTeam, operated by a financially motivated threat group possibly linked to the TA505 cluster (though attribution is debated). It belongs to the ransomware category, specifically targeting Windows systems and encrypting files with the .djvu extension while appending a unique victim ID to filenames. According to BleepingComputer and Malwarebytes reports, the ransomware is distributed primarily via malicious email attachments, fake software cracks, and torrent sites.

🔧 Technical Capabilities

STOP ransomware uses a combination of AES-256 and RSA-2048 encryption to lock files, appending extensions such as .djvu, .tro, or .pdf depending on the variant. It establishes persistence by creating scheduled tasks and modifying registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware communicates with hardcoded C2 servers over HTTP to exchange encryption keys and may download additional payloads like information stealers Vidar or Zepto. Evasion techniques include checking for sandbox environments by detecting debugger processes and virtual machines. A significant feature is its offline encryption mode: when C2 is unreachable, it uses a static embedded key that allowed security researchers to develop public decryption tools (e.g., Emsisoft's STOP Decryptor). Propagation is limited but can spread through network shares if deployed via botnet loaders.

📜 History & Notable Incidents

The STOP family first appeared in December 2017 and by 2019 had become one of the most prevalent ransomware strains globally, accounting for over 50% of ransomware detections in 2020 according to Malwarebytes. A major campaign in 2020 targeted users seeking cracked software for video games and productivity tools, leading to widespread infections across the US, Europe, and India. No high-profile corporate victims are documented; instead, the ransomware primarily affects individual consumers and small businesses. Law enforcement actions include a 2021 FBI advisory (FBI FLASH MU-000385-MW) warning of STOP ransomware distributed via fake software downloads. No CVEs are directly associated with STOP; it exploits user behavior rather than vulnerabilities.

🔍 Detection Indicators

Known file hashes (SHA256): e.g., 4a2c0d8b3f1e… (varies per sample); Emsisoft provides a repository of hashes. Behavioral indicators include file renames with appended .djvu, creation of ransom notes named _readme.txt, and network traffic to IP addresses on port 8080 or 80 associated with known C2 domains like djvu[.]top. Registry keys: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwupdate or similar. Mutex names: “Globalctf_subsystem”. User-Agent strings: “Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko” (commonly spoofed). Network IOCs include domains ending in .top, .xyz, or .club registered via Namecheap.

☠️ Risk & Impact

STOP ransomware causes permanent file encryption if victims lack backups, with ransom demands typically ranging from $490 to $1,200 in Bitcoin (according to Trend Micro). The primary damage is data loss and extortion; no data exfiltration is reported, but secondary infections like Vidar stealer may harvest credentials and cryptocurrency wallets. Affected sectors overwhelmingly comprise individual users and small businesses, with geographic concentration in the US, India, the Philippines, and Brazil (per Microsoft’s 2021 Defender report). Financial losses are difficult to quantify but are estimated in the tens of millions USD globally due to ransom payments and recovery costs.

🛡️ Mitigation

Defense includes maintaining offline backups, avoiding cracked software, and using antimalware solutions that detect STOP via behavioral rules (e.g., Microsoft Defender detects as Ransom:Win32/Stop.A!ml). Organizations can deploy custom YARA rules from the Emsisoft decryptor GitHub repository (github.com/emsisoft/stop-decryptor) and block outbound traffic to known C2 domains. If infected before a certain variant (pre-2022 with offline key), the free Emsisoft STOP Decryptor v2.0 can restore files without payment, as documented in their official advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.