A recently discovered variant of the StopCrypt ransomware, also known as STOP Djvu, has emerged in the wild, employing a sophisticated multi-stage execution process to bypass security tools.
StopCrypt, despite being one of the most widely distributed ransomware strains, often flies under the radar in discussions among security researchers. Unlike ransomware operations that target large businesses, StopCrypt primarily focuses on consumers, aiming to generate numerous small ransom payments ranging from $400 to $1,000.
The ransomware typically spreads through malvertising campaigns and dubious websites offering adware bundles disguised as free software, game cheats, or software cracks. Once installed, unsuspecting users find themselves infected with various malware, including password-stealing trojans and StopCrypt ransomware, prompting them to seek assistance from security experts and online forums.
Since its inception in 2018, StopCrypt has undergone minimal changes, with new versions mainly addressing critical issues. However, the discovery of a new variant always garners attention due to the significant number of users affected by it.
SonicWall's threat research team recently identified a new variant, dubbed StopCrypt, which employs a multi-stage execution mechanism to enhance stealth and evade detection. Initially, the malware loads an unrelated DLL file (msim32.dll) and implements time-delaying loops to bypass time-related security measures.
Subsequently, the ransomware employs dynamically constructed API calls to allocate memory space and execute its payload, making detection more challenging. It also takes snapshots of running processes to understand its operating environment.
The next stage involves process hollowing, where StopCrypt injects its payload into legitimate processes for discreet execution in memory. This process manipulation is achieved through carefully orchestrated API calls that control process memory and flow.
Once executed, the ransomware ensures persistence by modifying access control lists (ACLs) to prevent users from deleting critical files and directories. Additionally, it creates a scheduled task to execute the payload every five minutes.
Files are encrypted, and a ".msjd" extension is appended to their names, while a ransom note named "_readme.txt" is placed in every affected folder, providing instructions for a ransom payment.
The evolution of StopCrypt into a more stealthy and powerful threat highlights a concerning trend in cybercrime, underscoring the potential for significant damage despite modest ransom demands and the absence of data theft practices.
