STOP Djvu Ransomware: Disguises Itself as Adware Installers & Installs Azorult Infostealer
STOP ransomware, which is also known as STOP Djvu Ransomware, was originally noted by security researchers in February of 2018. In the time since its discovery, it has spawned a family of clones and offshoot infections. It is primarily distributed via spam email campaigns that contain malicious attachments. The majority of the malicious attachments used in the spam email campaigns were macro-enabled office documents or phony PDF files that uploaded the ransomware without the victim’s knowledge.
STOP ransomware is similar to other ransomware threats as it encrypts and blocks access to data on victims’ computers. Personal files, pictures, and other documents are encrypted and essentially disabled. The STOP Djvu ransomware variant was first spotted back in December 2018 when victims reported they were infected with ransomware after they downloaded keygens or cracks.
After infiltration occurs, STOP Djvu ransomware can modify Windows settings, appending files with a range of names, including .djvu, .djvus, .djvuu, .udjvu or .djvuq and the recent .promorad and .promock extensions. Newer versions of the infection don’t have a decryptor yet, but most older ones can be decrypted utilizing well-known ransomware decryptor tools.
The ransom note reads in part: ALL YOUR FILES ARE ENCRYPTED. Don’t worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Don’t try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 72 hours.
In early 2021, security researcher Michael Gillespie discovered a new ransomware variant called “Zorab,” which purported to be a decryptor for STOP Djvu ransomware.
Additionally, in early January 2019, STOP utilized adware installers disguised as cracks as a method of distribution. That was several weeks before researchers spotted a newer strain of the STOP ransomware family downloading the AZORult infostealer onto victims’ systems as part of the infection process. This makes STOP ransomware one of the more dangerous and growing infections that you need to look out for.