Stolich

Stolich is an in-development variant based on the EDA2 open-source ransomware code. Stolich was discovered by the researchers behind the MalwareHunterTeam Twitter handle on April 3, 2017 when the ransomware developer uploaded a sample to VirusTotal to see if it would be detected by antivirus software. MalwareHunterTeam discovered that the uploaded sample of Stolich, based on open-source code, was obfuscated with an evaluation version of CryptoObfuscator, a tool used by software developers to prevent others from vewing or analyzing the program's code. Since Stolich's code is openly available for download on GitHub, researchers deduced that someone may be using the code to create a new version to actually infect victims and generate profit. The next day, on April 4, another researcher discovered LMAOxUS, a version of Stolich that came bundled with a Minecraft launcher. LMAOxUS appends .lmao to the names of encrypted files, drops a ransom note named LMAO_READ_ME.txt, includes lmaoxus@safe-mail.net as the hacker's email address, and demands a ransom of 0.1 Bitcoin.

UPDATE: The Stolich developer has since removed its code from GitHub, but it is unknown how many people may have downloaded the open-source code with the intent to create and distribute ransomware.

  • Bleeping Computer provides more information about Stolich and LMAOxUS here.
  • The NJCCIC is not currently aware of any decryption tools available for Stolich/LMAOxUS.