A new variant of StopCrypt ransomware was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.
StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that you rarely hear about.
While you constantly hear how big some ransomware operations are, such as LockBit, BlackCat, and Clop, you rarely hear security researchers discussing STOP. That is because this ransomware operation does not typically target businesses but rather consumers, hoping to generate tens of thousands small $400 to $1,000 ransom payments instead of one large multi-million-dollar demand.
The ransomware is commonly distributed via malvertising and shady sites distributing adware bundles disguised as free software, game cheats and software cracks.
When these programs are installed, the users become infected with a variety of malware, including password stealing trojans and STOP ransomware.
This leads infected users to desperately reach out to security researchers, ransomware experts, and our 807-page STOP ransomware forum topic to try and receive help.
Since its original release in 2018, the ransomware encryptor has not changed much, with new versions mostly released to fix critical problems.
For this reason, when a new STOP version is released, it bears watching due to the large number of people who will be affected by it.
SonicWall's threat research team has uncovered a new variant of the STOP ransomware in the wild that now utilizes a multi-stage execution mechanism.
Initially, the malware loads a seemingly unrelated DLL file, possibly as a diversion.
StopCrypt uses API calls for various operations, including taking snapshots of running processes to understand the environment in which it's operating.
The next stage involves process hollowing, where StopCrypt hijacks legitimate processes and injects its payload for discreet execution in memory.
Once the final payload is executed, a series of actions takes place to secure persistence for the ransomware, modify access control lists to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes.
It should be noted that there are hundreds of extensions related to the STOP ransomware as they change them often.
The evolution of StopCrypt into a more stealthy and powerful threat underscores a troubling trend in cybercrime.
Though StopCrypt's monetary demands aren't high and its operators do not perform data theft, the damage it can cause to many people could be significant.
New Bifrost malware for Linux mimics VMware domain for evasion.
LockBit ransomware secretly building next-gen encryptor before takedown.
New RustDoor macOS malware impersonates Visual Studio update.
Kasseika ransomware uses antivirus driver to kill other antiviruses.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 14 Mar 2024 21:00:04 +0000