StopCrypt: Most widely distributed ransomware now evades detection

A new variant of StopCrypt ransomware was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.
StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that you rarely hear about.
While you constantly hear how big some ransomware operations are, such as LockBit, BlackCat, and Clop, you rarely hear security researchers discussing STOP. That is because this ransomware operation does not typically target businesses but rather consumers, hoping to generate tens of thousands small $400 to $1,000 ransom payments instead of one large multi-million-dollar demand.
The ransomware is commonly distributed via malvertising and shady sites distributing adware bundles disguised as free software, game cheats and software cracks.
When these programs are installed, the users become infected with a variety of malware, including password stealing trojans and STOP ransomware.
This leads infected users to desperately reach out to security researchers, ransomware experts, and our 807-page STOP ransomware forum topic to try and receive help.
Since its original release in 2018, the ransomware encryptor has not changed much, with new versions mostly released to fix critical problems.
For this reason, when a new STOP version is released, it bears watching due to the large number of people who will be affected by it.
SonicWall's threat research team has uncovered a new variant of the STOP ransomware in the wild that now utilizes a multi-stage execution mechanism.
Initially, the malware loads a seemingly unrelated DLL file, possibly as a diversion.
StopCrypt uses API calls for various operations, including taking snapshots of running processes to understand the environment in which it's operating.
The next stage involves process hollowing, where StopCrypt hijacks legitimate processes and injects its payload for discreet execution in memory.
Once the final payload is executed, a series of actions takes place to secure persistence for the ransomware, modify access control lists to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes.
It should be noted that there are hundreds of extensions related to the STOP ransomware as they change them often.
The evolution of StopCrypt into a more stealthy and powerful threat underscores a troubling trend in cybercrime.
Though StopCrypt's monetary demands aren't high and its operators do not perform data theft, the damage it can cause to many people could be significant.
New Bifrost malware for Linux mimics VMware domain for evasion.
LockBit ransomware secretly building next-gen encryptor before takedown.
New RustDoor macOS malware impersonates Visual Studio update.
Kasseika ransomware uses antivirus driver to kill other antiviruses.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 14 Mar 2024 21:00:04 +0000


Cyber News related to StopCrypt: Most widely distributed ransomware now evades detection

StopCrypt: Most widely distributed ransomware now evades detection - A new variant of StopCrypt ransomware was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that ...
9 months ago Bleepingcomputer.com
STOP ransomware, more common than LockBit, gains stealthier variant - StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics. StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro's 2023 ...
9 months ago Packetstormsecurity.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
11 months ago Securityboulevard.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
Cisco Talos Report: New Trends in Ransomware, Network Infrastructure Attacks, Commodity Loader Malware - The Cisco Talos Year in Review report released Tuesday highlights new trends in the cybersecurity threat landscape. We'll focus on three topics covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and commodity loader ...
1 year ago Techrepublic.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
11 months ago Cybersecuritynews.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
10 months ago Malwarebytes.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
11 months ago Feeds.fortinet.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
10 months ago Securityboulevard.com
VX-Underground malware collective framed by Phobos ransomware - A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the ...
1 year ago Bleepingcomputer.com
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
1 year ago Bleepingcomputer.com
The Evolving Landscape of Ransomware Attacks - 1.7 million ransomware attacks are happening every day. Many people think the virus has locked their computer, but it is actually the ransomware that has locked all their files. As the name ransomware suggests they are after ransom. Stealing or ...
11 months ago Cyberdefensemagazine.com
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
10 months ago Techrepublic.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
7 months ago Bleepingcomputer.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
9 months ago Feeds.fortinet.com
Why It's More Important Than Ever to Align to The MITRE ATT&CK Framework - These missed attacks often stem from either hidden gaps in detection coverage - or due to alerts that got buried in a sea of noisy alerts and were never even pursued by the Security Operations Center team. In other words, we need to be able to report ...
1 year ago Cyberdefensemagazine.com
White House hosts Counter Ransomware Initiative summit, with a focus on not paying hackers - The third annual White House-led counter ransomware summit convening 48 countries, the European Union and Interpol launches in Washington today, featuring several new elements including a pledge from most member states not to pay ransoms and a ...
1 year ago Therecord.media
Ransomware review: January 2024 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. February didn't ...
9 months ago Malwarebytes.com
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
1 year ago Bleepingcomputer.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
2 months ago Securelist.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)