STOP/DJVU ransomware has been with us since 2019. New versions are released periodically; however, the new STOP/DJVU ransomware versions usually focus on adding new encrypted file extensions. There were almost 200 different encryption extensions observed in the wild through 2019 alone.
This ransomware contains a lot of unused code, probably inserted to delay malware analysis by wasting the time of anyone looking to attempt reverse engineering.
It also uses a Process Hollowing injection technique and executes the main payload in a new instance of itself that is created as a suspended process then the main payload is written to it, and a process main thread is resumed.
Figure 1 – Suspended Process
Before executing, the ransomware checks the victim’s country code by performing a GET request to https[:]//api.2ip.ua/geo.json and comparing the “country_code” element to the list of countries where it won’t detonate. The list contains the following countries:
- RU – Russia
- BY – Belarus
- UA – Ukraine
- AZ – Azerbaijan
- AM – Armenia
- TJ – Tajikistan
- KZ – Kazakhstan
- KG – Kyrgyzstan
- UZ – Uzbekistan
- SY – Syria
STOP/DJVU ransomware accepts the following arguments: “–Admin”, “–Task”, “–AutoStart”, “–ForNetRes”, and “–Service”:
Figure 2 – Arguments check
The ransomware uses two persistency mechanisms:
- Adding a “SysHelper” registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Figure 3 – Created Registry Key - Creating a “Time Trigger Task” scheduled task.
Figure 4 – Created Task
Figure 3 – Created Registry Key
Figure 4 – Created TaskThe STOP/DJVU ransomware is also known for dropping other malware. Most commonly, Ursnif banking trojan and Vidar stealer. Our case is not different. The ransomware sample we had downloads two malware by using the InternetReadFile API function and saves them to the newly created folder under “C:\ Users\Username\Appdata\Local”. It then executes them using the ShellExecuteA API function. The malware download paths are hxxp[:]//rgyui[.]top/dl/build2.exe and hxxp[:]//acacaca[.]org/files/1/build3.exe.
The ransomware has a list of files, extensions, and directories to be skipped by the encryptor:
- Files: ntuser.dat, ntuser.dat.LOG1, ntuser.dat.LOG2, ntuser.pol
- Extensions: .sys, .ini, .DLL, .dll, .blf, .bat, .lnk, .regtrans-ms
- Directories: C:\SystemID\, C:\Users\Default User\, C:\Users\Public\, C:\Users\All Users\, C:\Users\Default\, C:\Documents and Settings\, C:\ProgramData\, C:\Recovery\, C:\System Volume Information\, C:\Users\%username%\A”ppData\Roaming\, C:\Users\%username%\AppData\Local\, C:\Windows\, C:\PerfLogs\, C:\ProgramData\Microsoft\, C:\ProgramData\Package Cache\, C:\Users\Public\, C:\$Recycle.Bin\, C:\$WINDOWS.~BT\, C:\dell\, C:\Intel\, C:\MSOCache\, C:\Program Files\, C:\Program Files (x86)\, C:\Games\, C:\Windows.old\, D:\Users\%username%\AppData\Roaming\, D:\Users\%username%\AppData\Local\, D:\Windows\, D:\PerfLogs\, D:\ProgramData\Desktop\, D:\ProgramData\Microsoft\, D:\ProgramData\Package Cache\, D:\Users\Public\, D:\$Recycle.Bin\, D:\$WINDOWS.~BT\, D:\dell\, D:\Intel\, D:\MSOCache\, D:\Program Files\, D:\Program Files (x86)\, D:\Games\, E:\Users\%username%\AppData\Roaming\, E:\Users\%username%\AppData\Local\, E:\Windows\, E:\PerfLogs\, E:\ProgramData\Desktop\, E:\ProgramData\Microsoft\, E:\ProgramData\Package Cache\, E:\Users\Public\, E:\$Recycle.Bin\, E:\$WINDOWS.~BT\, E:\dell\, E:\Intel\, E:\MSOCache\, E:\Program Files\, E:\Program Files (x86)\, E:\Games\, F:\Users\%username%\AppData\Roaming\, F:\Users\%username%\AppData\Local\, F:\Windows\, F:\PerfLogs\, F:\ProgramData\Desktop\, F:\ProgramData\Microsoft\, F:\Users\Public\, F:\$Recycle.Bin\, F:\$WINDOWS.~BT\, F:\dell\, F:\Intel\
Much inline with other ransomware nowadays, STOP/DJVU creates a readme.txt file containing a ransom note.
Minerva’s Ransomware Protection solution prevents the injection of the main payload into a newly created process and by that prevents the ransomware execution:
Figure 5 – Prevention
Demonstration of Minerva preventing STOP/DJVU Ransomware