The Djvu/STOP ransomware, which appears to be a variant of the STOP ransomware, first appeared in December 2018, encrypting files with a .djvu, .djvus, .djvuu, .uudjvu, .udjvu, .djvuq, .djvur, or .pdff extension, and encrypting files with a .tro extension in January 2019. It primarily spreads through cracked software downloads and adware bundles. It has the ability to alter Windows settings and to encrypt files.
Djvu begins its infection by installing an executable into the LocalAppData folder and downloading several files called 1.exe, 2.exe, 3.exe, and pdatewin.exe. 1.exe will remove Windows Defender definitions and disable its real-time monitoring through a PowerShell script called Script.ps1. 2.exe alters the Windows HOSTS file to block navigation to various security websites. The functionality of 3.exe is not yet known. Pdatewin.exe spawns a fraudulent Windows Update window to trick users into thinking a system update is taking place while the computer slows down during file encryption.
The Djvu ransomware contacts its command-and-control server with a unique ID based on the victim’s MAC address to receive an encryption key and begins encrypting files. A Windows Time Trigger Task is also created to periodically encrypt any new files created. A ransom note called _openme.txt is placed into each affected folder. Unlike most ransomware, the note does not specify any payment amount, but asks that the user contact an email address for more information.
One variation of the ransomware - using the .uudjvu extension - additionally tries to phish user login credentials for Pirate Bay.
Main installer: 5d294a14a491dc4e08593b2f6cdcaace1e894c449b05b4132b9ba5c005848c58
C:\Windows\System32\Tasks\Time Trigger Task
Associated Registry Entries:
Associated Email Addresses:
Reporting and Technical Details
UPDATE 1/2019: Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles.
UPDATE 1/22/2019: Djvu/STOP ransomware now distributed using the .rumba extension.
*UPDATE 1/22/2019: Security researcher Michael Gillespie released a decryptor for several versions of Djvu/STOP ransomware.