Djvu/STOP

The Djvu/STOP ransomware, which appears to be a variant of the STOP ransomware, first appeared in December 2018, encrypting files with a .djvu, .djvus, .djvuu, .uudjvu, .udjvu, .djvuq, .djvur, or .pdff extension, and encrypting files with a .tro extension in January 2019. It primarily spreads through cracked software downloads and adware bundles. It has the ability to alter Windows settings and to encrypt files.

Djvu begins its infection by installing an executable into the LocalAppData folder and downloading several files called 1.exe, 2.exe, 3.exe, and pdatewin.exe. 1.exe will remove Windows Defender definitions and disable its real-time monitoring through a PowerShell script called Script.ps1. 2.exe alters the Windows HOSTS file to block navigation to various security websites. The functionality of 3.exe is not yet known. Pdatewin.exe spawns a fraudulent Windows Update window to trick users into thinking a system update is taking place while the computer slows down during file encryption.

The Djvu ransomware contacts its command-and-control server with a unique ID based on the victim’s MAC address to receive an encryption key and begins encrypting files. A Windows Time Trigger Task is also created to periodically encrypt any new files created. A ransom note called _openme.txt is placed into each affected folder. Unlike most ransomware, the note does not specify any payment amount, but asks that the user contact an email address for more information.

One variation of the ransomware - using the .uudjvu extension - additionally tries to phish user login credentials for Pirate Bay.

 

IOCs

Hashes:

Main installer: 5d294a14a491dc4e08593b2f6cdcaace1e894c449b05b4132b9ba5c005848c58

1.exe: 6966599b3a7786f81a960f012d540866ada63a1fef5be6d775946a47f6983cb7

2.exe: 91a1122ed7497815e96fdbb70ea31b381b5243e2b7d81750bf6f6c5ca12d3cee

updatewin.exe: 74949570d849338b3476ab699af78d89a5afa94c4529596cc0f68e4675a53c37

Associated Files:

%LocalAppData%\[guid]\[random_numbers]tmp.exe

%LocalAppData%\[guid]\1.exe

%LocalAppData%\[guid]\2.exe

%LocalAppData%\[guid]\3.exe

%LocalAppData%\[guid]\updatewin.exe

C:\Windows\System32\Tasks\Time Trigger Task

Associated Registry Entries:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Associated Email Addresses:

restoredjvu@india[.]com

restoredjvu@firemail[.]cc

helpshadow@india[.]com

helpshadow@firemail[.]cc

pdfhelp@india[.]com

pdfhelp@firemail[.]cc

Network Traffic:

api.2ip[.]ua

morgem[.]ru

Reporting and Technical Details

UPDATE 1/2019: Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles.

UPDATE 1/22/2019: Djvu/STOP ransomware now distributed using the .rumba extension.

*UPDATE 1/22/2019: Security researcher Michael Gillespie released a decryptor for several versions of Djvu/STOP ransomware.

Ransomware VariantsNJCCICdjvu, stop