An infamous STOP/Djvu ransomware adopted a new spreading tactic. According to the report of Avast Threat Labs, a malware intelligence group, ransomware distributors opted for Discord as a place to spread their malware.
STOP/Djvu spreads in Discord, features RedStealer
According to the latest notifications, STOP/Djvu ransomware is getting spread through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but the password is very simple – 1234. That is a pretty typical action when users share something on social networks. However, inside this package, there is an executable file of Djvu malware – probably the .vveo and .vvew variants. The threat landscape touches users from Argentina, Vietnam, Turkey, and Brazil.
New campaign spreading on Discord, distributing STOP ransomware and RedLine stealer. The file is shared as an encrypted 7zip attachment. The malware is further protected by AceCrypter and has an embedded (invalid) AVG certificate.
— Avast Threat Labs (@AvastThreatLabs) August 2, 2022
The exact file is additionally disguised – to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an invalid AVG certificate embedded and AceCrypter protection, making it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP/Djvu ransomware. Earlier, they were masking their malware by a specific repacking that required special database signatures to counteract. Is the certificate just an experimental feature or a new approach – only crooks know?
Spreading model is also worth a separate note. Before, the Djvu gang was reportedly creating fake one-day sites with torrent downloading of popular content. Popular films, sitcoms, and new games always have a suitable disguise. However, it is a common case for the group which applies a Ransomware-as-a-service scheme. One distribution team may test this spreading approach.
STOP/Djvu ransomware comes with RedLine stealer
Again, the supplementary spyware is not new for Djvu ransomware. Earlier versions of this malware were carrying the legendary Azorult spyware, which appeared in 2016. Since its adoption in 2020, STOP/Djvu group has stealthily grabbed the victims’ credentials to sell them later on the Darknet. RedLine is younger – it is active since 2020 – and has several unique features that possibly make it more desirable for the developers. Again, whether such a change is temporal or not is unclear – Azorult and RedLine have similar functionality. The worst part is that victims should still change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.
What is STOP/Djvu ransomware?
This ransomware family is worth saying several words about. After appearing in 2017, this ransomware quickly gained a large share of the ransomware arena. It aims at individual users and asks for $450-$900 for file decryption. This ransomware uses an AES-256 cipher in CFB mode and the RSA algorithm. There are several possible solutions to decrypt the files after the STOP/Djvu ransomware attack, but most rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable – unless you pay the ransom or have your files backed up. There is also the possibility of getting your files back after the gang dissolution – but such an occasion has a pretty low possibility. STOP/Djvu gang is running for too long to cease to exist; in the worst-case scenario, it will just decrease its activity.