STOP/Djvu ransomware. The biggest hazard of these days

STOP/Djvu ransomware. The biggest hazard of these days

Helga Smith
STOP/Djvu ransomware family is the most widespread ransomware family among individuals. This malware type is infamous for its ability to lock the files, and then ask you to pay a pretty big sum of money to get them back. Appeared in December, 2017, it is one of the oldest ransomware families among ones that are running these days.

STOP/Djvu family has a share of almost 75% of all ransomware detections, when we talk about individuals. Such a “success” is the result of amazing cooperation with other malware creators, and a good awareness about all possible malware spreading ways. It is not clear how much these guys earn, but the gross losses from ransomware activity exceeded $11 billion in 2021.1 And they will likely grow in the following years – and Djvu will likely be in touch. That’s why the FBI is so interested in capturing at least one of their top managers.

What is so unique about STOP/Djvu ransomware?

Being so successful usually means having something unique in your product. But the core of the ransomware they produce brings nothing that can really give such a big spread. Key things that make Djvu virus so successful are the aforementioned spreading ways, and a unique repacking mechanism, that allows this malware to stay undetected for a long time.

STOP/Djvu ransomware in Task Manager
Ransomware runs in the background

Just like the majority of other ransomware families, STOP/Djvu uses AES-256 or RSA-1024 encryption methods. Sometimes they combine them, but there is no need for such a strong cipher. Even AES-256 is enough to prevent any decryption with a brute force. And there is no way to get the key – in 95% of cases, it is kept on the command server, and is sent with the use of asymmetric encryption. That means that there is no way to get it without paying the ransom. Unfortunately, even the quantum computers are not able to decrypt these ciphers fast enough – it will take thousands of years.

STOP/Djvu ransomware distribution methods

And the unique part of this ransomware group makes it even stronger. Their affiliates (who spread the malware) master their tactics each month. Email spam, untrustworthy software and hacked programs are not something new, but the way these crooks mask their stuff is amazing. They somehow manage to target their email spam attacks on the users who await for the delivery messages; knowing that there is a highly-demanded thing on the torrents, they create a one-day-site to spread the links to malicious torrent downloadings. Such tactics allow them to catch each trend – and they are still not catched!

Repacking for stealthiness

Anti-malware programs have a lot of ways of malware detection. Most widespread and common by underlying methods – database-backed detection – has a design flaw that allows the crooks to make their malware invisible for antivirus engines. It is a sort of obfuscation – but how graceful that is! Each new version of the Djvu ransomware has a completely different code sequence, which makes the file hash, along with the file size and other attributes, completely different. They do such a trick using a special repacking application, that generates a completely new sample almost each minute. Meanwhile, the antivirus modules that work detect an obfuscated code just ignore that file – considering that there is no obfuscation in that file.

STOP/Djvu ransomware samples
The difference between 2 samples of the same Djvu variant (.dehd)

Even though analysts have successfully detected a regularity in the order of the changes implemented by that repacker, this ransomware is still uncatchable. They don’t leave literally a single clue to detect not only present versions but also further. Moreover, they sometimes change the repacking utility, which leads to completely different file section sizes. The only hope for antivirus engineers to detect the STOP/Djvu ransomware is to use heuristic engines.

STOP/Djvu ransomware attack. Step-by-step

After being injected, this ransomware starts from … checking the location. First of all, this malware checks your region. If it is set for the following list of countries, it suspends itself from further execution:

  • Russia
  • Belarus
  • Ukraine
  • Azerbaijan
  • Armenia
  • Tajikistan
  • Kazakhstan
  • Uzbekistan
  • Kyrgyzstan

Possibly, some of their distributors or developers are from these countries. That is a pretty smart step to prevent any attention from local executive authorities. Nonetheless, there are a lot of cases when this check-up fails, and the user from one of these countries gets his files ciphered. When the location check is passed, this virus connects to the command server and receives the decryption key and victim’s ID. If the command server is inaccessible, ransomware uses the encryption key that is embedded in the exact ransomware file. That makes the file decryption possible – read the “Is it possible to decrypt…” paragraph.

Bring me action

After receiving the encryption key, the virus begins scanning your disk, searching for all files it can encrypt. Exactly, it manages to cipher all popular file formats – MS Office documents, Open Office ones, PDF, databases, Photoshop projects, videos, music, photos, archives, disk image files etc. 

It does not encrypt all of your files at once. After detecting the folder filled with files, it stops the search and starts encryption. When the ciphering is over, it generates the ransom note in the folder and switches to the search mode, and repeats. It will attack both of your disks, including the files on your removable drives.

Xcmb ransomware
Files encrypted by XCMB variant of Djvu ransomware

Finally, after ciphering all files it can find, it launches the delself.bat – the batch script file that creates a copy of the original ransomware files, adds them to less suspicious directory (initial virus usually located in C:\Users\%username%\temp or C:\Users\%username%\Downloads) and removes the original ones. After that, a new .exe file is added to the Run registry hive, providing the malware the ability to run with each Windows start.2

STOP/Djvu ransom note

ATTENTION!

Don’t worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-WJa63R98Ku

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that’s price for you is $490.

Please note that you’ll never restore your data without payment.

Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

manager@mailtemp.ch

Reserve e-mail address to contact us:

helprestoremanager@airmail.cc

Your personal ID:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What can I do to avoid being attacked by STOP/Djvu ransomware?

An obvious answer – use anti-malware software. Of course, a good one – that has a well-designed heuristic engine, which is able to detect that sneaky ransomware. The tool with the proactive protection is recommended, however, heuristics can be used in on-demand scans as well. One of the most demanded features is often database updates: this way, the program can detect even the newest STOP/Djvu ransomware variants.

Scan results in Loaris
Loaris is able to detect and remove STOP/Djvu ransomware in on-demand scans
Nonetheless, even the most effective anti-malware tools will fail when you make everything to help the malware to run successfully. Of course, you will do it unintentionally, thinking that you are just trying to launch the game or the program you have just downloaded from torrent-trackers. And you must keep an eye on what you are doing, remembering that no one will give you a paid program for free. Use programs with a good reputation when it is possible, do not use torrent trackers, try to check the emails you receive twice before opening. That sounds hard and long, but in fact, it takes less than a minute for each situation. And this minute is always less than the time you will spend to get your files back.

Is it possible to decrypt the files after the ransomware attack?

As I have already pointed out, it is impossible to decipher the files after the ransomware attack. The encryption algorithms it uses in the attack are extremely tough. The decryption with any “classic” methods, like brute force, for example, will take an extremely long time with any of the contemporary computers. However, the specific design feature of STOP/Djvu ransomware allows you to get some of the files back.

The encryption module of that malware ciphers only the first 5MB of each file. For most of the files that this ransomware touches on your device, it is enough to make them inaccessible. Nonetheless, high-quality music and video files are much bigger than 5MB. Yeah, the encrypted part is still inaccessible – but there is much more information behind these megabytes. The only thing you need for that is proper software. In particular, WinAmp is able to launch such files. This very old piece of freeware is still demanded by a lot of users – and, as you can see, it can be used for more.

winamp interface

Miracle decryption ability

Another way of getting access to your files requires a lot of luck. Sometimes, STOP/Djvu ransomware struggles to connect to its command server. This may happen because of your unstable Internet connection, as well as because of the troubles with the fraudsters’ servers. Thus, the key it uses for file encryption is a so-called offline key. Since carrying all 2^256 keys is too much for a tiny ransomware, the amount of offline keys is restricted, and a certain number of them is already known. Programs like Emsisoft Decryptor for STOP/Djvu can try to decrypt your files with these keys.

Unfortunately, the chance that you will be able to get your files back in this way is about 5%. In most cases, command servers work well, and either does your ISP. Even setting up a network sniffer will not help you in any way. Besides the fact that it is not very ethical if someone else uses your computer, the asymmetric encryption makes this sniffer useless.

File recovery tools - effective or not?

Another feature of the ransomware mechanism allows you to get your files back without the decryption. STOP/Djvu ransomware creates a copy of each of your files, encrypts it, and then removes the original file, replacing it with the ciphered copy. And here comes the most interesting: just like with any other deleted file, you can perform a recovery operation with ones that were affected by the ransomware.

STOP/Djvu files recovery
Files after the successful recovery

How does that work?

Data storage technologies on both SSD and HDD disks suppose that the information will remain in the cells even after being deleted from the file system. Then, when you are writing something to your disk, these cells (or areas, if we mean HDD) will be re-used with erasing the residue of removed files. Therefore, until these cells are reused and thus overwritten, you can try to get some information out of your disk.

Still, these trick can be useless because of the technological features

There are several things that can make file recovery impossible. First and the most widespread issue is SSD usage. All modern OS versions have a TRIM command enabled for solid-state drives, which increases the disk’s lifespan. But this command cleans the cells where the deleted information was stored. Hence, there is literally nothing to recover.

Another case that leads to inability to get the files back with this method is when you use your PC after the encryption long enough to get the cells with the deleted files overwritten. That may happen even if your PC is idling. Windows has a lot of background processes that constantly write something to your disk and reads the info from it. Hence, the less time you wait before the recovery – the more files you will be able to restore.

Shadow copies. Another way to recover your files

Volume Shadow Copies is a default Windows mechanism that allows the user to always have a backup copy of the system partition.3 That makes the system recovery possible in just several clicks, since all important system files are backed up. And additionally, you can use this function to recover your files from this ersatz-backup. To reach it, you need to use the specific software – such as Shadow Explorer, for example.

Volume Shadow copy

The main problem of VSC usage is that ransomware developers know about this ability. Most of the STOP/Djvu variants you can find in the wild are able to disable and delete the shadow copies. Another thing that makes it a bit useless is that the copy is created each day by default. Hence, your backup copy may simply be overwritten by the ciphered files. And with each update of this backup, the previous copy is deleted.

  1. Report about ransowmare-related losses in 2021.
  2. Comprehensive information about STOP/Djvu ransomware variants.
  3. Official Microsoft guidance at Volume Shadow Copy service and its mechanism.

0 Comments

Leave a Reply

More great articles

Ransomware trends in 2021

Ransomware trends in 2020

Both simple users, system administrators and virus analysts have the same opinion about ransomware, calling it the most dangerous and…

Read Story
What is script-based malware?

What is script-based malware?

Script-based malware is not a new thing at all, but can definitely be called “new” when we talk about its…

Read Story
Computer virus types

Computer virus types. How much computer virus types are there?

Computer viruses is a very wide theme. Describing them all, without missing a thing in one article is pretty hard.…

Read Story
Arrow-up