Ransomware

About DJVU (STOP) Ransomware (August 2019 Update)

Written by Brendan Smith

DJVU General information

DJVU cryptoware codifies the users’ data with the AES-556 algorithm (CFB mode). However, it does not encrypt the entire file, but rather approximately 5 MB in its beginning. Subsequently, it asks for the ransom that amounts to $980 in Bitcoin equivalent to restore the files.

The authors of the malware have Russian roots. The frauds use Russian language and Russian words written in English, as well as the domains registered through Russian domain-registration companies. The crooks most likely have allies in other countries.

DJVU Technical details

Many users indicate that the cryptoware is injected after downloading repackaged and infected installers of popular programs, pirated activators of MS Windows and MS Office (such as KMSAuto Net, KMSPico, etc.) distributed by the frauds through popular websites. This relates to both legitimate free applications and illegal pirated software.

The cryptoware may also be spread through hacking by means of poorly protected RDP configuration, via email spam and malicious attachments, misleading downloads, exploits, web injectors, faulty updates, repackaged and infected installers.

The list of file extensions subject for encryption:

MS Office or OpenOffice documents, PDF and text files, databases, photos, music, video or image files, archives, application files, etc.

Stages of cryptoware infection:

  1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
  2. If С&C is unavailable (in times when the PC is not connected to the Internet of the server does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
  3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and for implementing the attack on the computer network.
  4. Upon successful file encryption, the cipherer is autonomously removed by means of the delself.bat command file.

Associated Files:

%LocalAppData%\[guid]\[random_numbers]tmp.exe
%LocalAppData%\[guid]\1.exe
%LocalAppData%\[guid]\2.exe
%LocalAppData%\[guid]\3.exe
%LocalAppData%\[guid]\updatewin.exe
C:\Windows\System32\Tasks\Time Trigger Task

Associated Registry Entries:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Network Traffic:

api.2ip.ua
morgem.ru

In addition to encrypting a victim’s files, the DJVU family has also install the Azorult Spyware to steal account credentials, cryptocurrency wallets, desktop files, and more.

How to decrypt DJVU files?

Michael Gillespie, the expert on cryptoware research, managed to invent the decoder for certain versions when the encryptor applies the offline encryption key.

Michael released a free decryption tool – STOPDecrypter. The tool includes a BruteForcer only for variants which use XOR encryption, a simple symmetric cipher that is relatively easy to break. The decrypter tool requires victims to provide an encrypted and original file pair greater than 150KB.

Remember: STOPDecrypter should be run as an Administrator from the Desktop.

The full list of known DJVU files extension:

djvuu, uudjvu, blower, tfudet, promok, djvut, djvur, klope, charcl, doples, luces, luceq, chech, proden, drume, tronas, trosak, grovas, grovat, roland, refols, raldug, etols, guvara, browec, norvas, moresa, verasto, hrosas, kiratos, todarius, hofos, roldat, dutan, sarut, fedasot, forasom, berost, fordan, codnat, codnat1, bufas, dotmap, radman, ferosas, rectot, skymap, mogera, rezuc, stone, redmat, lanset, davda, poret, pidon, heroset, myskle, boston, muslat, gerosan, vesad, horon, neras, truke, dalle, lotep, nusar, litar, besub, cezor, lokas, godes, budak, vusad, herad, berosuce, gehad, gusau, madek, tocue, darus, lapoi, todar, dodoc, novasof, bopador, ntuseg, ndarod, access, format, nelasod, mogranos, nvetud, cosakos, kovasoh, lotej, prandel, zatrov, masok, brusaf, londec, kropun, londec

The list of STOP (DJVU) Ransomware.

Sending
User Review
5 (1 vote)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

2 Comments

  1. vmph July 15, 2019
    • Brendan Smith July 15, 2019

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.