STOP/Djvu Ransomware

STOP/Djvu: Widespread Ransomware Targeting Windows Users Through Pirated Software

STOP/Djvu is a Windows ransomware strain that emerged around 2018 and has since infected hundreds of thousands of users globally, mostly by masquerading as cracked software or pirated tools. It encrypts user files using a combination of AES and RSA algorithms, appends custom extensions, and demands a ransom payment in cryptocurrency. Unlike targeted ransomware used in corporate breaches, STOP/Djvu is aimed primarily at home users and small businesses with weak defenses.

Introduction to STOP/Djvu

The STOP/Djvu family spreads almost entirely through unofficial software downloads, often pretending to be keygens, game cracks, or system utilities. Once installed, it silently encrypts files and drops a _readme.txt ransom note, instructing users to contact the attacker for payment instructions. Multiple variants exist, typically differentiated by the extension added to encrypted files (e.g., .djvu, .makop, .gero, .meka).

---

1. How STOP/Djvu Works

Infection Mechanism:
STOP/Djvu is delivered through:

• Cracked software and game torrents
• Fake installers or keygens promoted via malvertising
• Bundled with other malware like info-stealers or loaders (e.g., Amadey or Smoke Loader)

Payload Execution:
Once executed, the ransomware:

• Encrypts files on the system using AES-256, then encrypts the key with RSA
• Adds a custom extension to each encrypted file (variant-specific)
• Drops a ransom note named _readme.txt in each affected folder
• Contacts a command-and-control server if online, or defaults to offline encryption using a hardcoded key
• Sometimes disables Windows Defender and related protections

---

2. History and Notable Campaigns

Origin and Discovery:
The STOP ransomware family first appeared in 2018, with Djvu becoming the dominant variant in subsequent years. It's widely attributed to low-level criminal operations focused on mass infection rather than targeted extortion.

Notable Campaigns:

• Over 600 known variants with unique extensions
• Most infections tied to software piracy websites and fake crack portals
• In many cases, victims unknowingly also install RedLine Stealer or LummaC2 alongside the ransomware

---

3. Targets and Impact

Targeted Victims and Sectors:

• Home users downloading software from unofficial sources
• Small businesses with poor endpoint protection
• Victims typically in developing regions, though infections are global

Consequences:

• Loss of access to personal files, photos, documents
• Ransom demands ranging from $490 to $980, often with "discounts" for quick payment
• Inability to recover data without a working decryption key (for online variants)
• Risk of additional malware on the same system

---

4. Technical Details

Payload Capabilities:

• Encrypts user files and appends unique extension
• Targets a wide range of file types: .doc, .jpg, .pdf, .zip, .db, and more
• Drops _readme.txt with ransom instructions and contact email
• Connects to a C2 server to get a unique RSA key (if online)
• If offline, uses one of several known hardcoded keys

Evasion Techniques:

• May disable or bypass Windows Defender
• Uses code obfuscation to avoid basic detection
• Often bundled in a multi-payload installer with a stealer or loader
• Installs silently and starts encryption without user interaction

---

5. Preventing STOP/Djvu Infections

Best Practices:

• Avoid downloading software from pirated or unofficial sources
• Always verify installers and use digital signatures where available
• Keep Windows and security software fully updated
• Disable script execution in unknown files
• Maintain regular offline backups of important data

Recommended Security Tools:

• Antivirus with ransomware behavior detection
• Application control solutions to block unknown executables
• Endpoint protection with file encryption monitoring
• Browser security extensions to block malicious ads and redirects

---

6. Detecting and Removing STOP/Djvu

Indicators of Compromise (IoCs):

• Files renamed with unknown extensions like .gero, .meka, .npsk, etc.
• Presence of _readme.txt ransom notes in multiple directories
• Unexpected CPU or disk usage, especially during encryption
• Outbound traffic to C2 servers or TOR addresses

Removal Steps:

1. Disconnect the device from the internet
2. Use a reputable antivirus tool to remove the ransomware payload
3. Attempt recovery with STOP/Djvu decryptors from vendors like Emsisoft (only for offline keys)
4. Restore files from a clean backup if available
5. Wipe and reinstall system if no backups or decryption options exist

Professional Help:
Victims who lack backups and cannot use a decryptor may require data recovery professionals or incident response — though full recovery without paying the ransom is often impossible for online variants.

---

7. Response to a STOP/Djvu Infection

Immediate Steps:

• Power off the machine or disconnect from networks to halt spread
• Identify the variant based on the file extension
• Locate the ransom note and review its contents
• Avoid paying the ransom — there’s no guarantee of decryption
• Restore from backup or seek help from a security vendor or recovery service

---

8. Legal and Ethical Implications

Legal Considerations:
Ransomware attacks may trigger data protection laws and reporting requirements, particularly if business data or PII is affected. Paying ransoms may also violate regulations depending on the country and threat actor's status.

Ethical Considerations:
Paying the ransom encourages future attacks and supports criminal activity. Victims should consider reporting to law enforcement and using non-payment recovery paths when possible.

---

9. Resources and References

• Emsisoft: STOP/Djvu Decryptor Tool
• ID Ransomware: Ransomware variant identification service
• Kaspersky No Ransom: Free Ransomware Decryptors
• Branddefense: Stop/Djvu Ransomware Technical Analysis (PDF)
• Kaspersky Blog: Encrypting the encrypted: Zorab Trojan in STOP decryptor (Cybercriminals distributing ransomware disguised as a tool for decrypting files encrypted by the STOP malware.)
• MITRE ATT&CK Techniques:
  • T1486 (Data Encrypted for Impact)
  • T1204.002 (User Execution: Malicious File)
  • T1059 (Command and Scripting Interpreter)
  • T1566.001 (Phishing: Attachment)

---

10. FAQs about STOP/Djvu

Q: What is STOP/Djvu ransomware?
A ransomware family that encrypts files on Windows PCs, mostly spread through pirated software downloads.

Q: What file extensions does it use?
Varies by variant — examples include .djvu, .gero, .meka, .npsk, and many more.

Q: Can I recover my files?
If infected with an offline variant, some files may be decryptable using public tools. Online variants usually require the attacker’s private key.

Q: Should I pay the ransom?
Paying is not recommended. There’s no guarantee you’ll get your files back, and it funds criminal operations.

---

11. Conclusion

STOP/Djvu continues to be one of the most prevalent ransomware families affecting individual users. Its reliance on software piracy for distribution and its deceptive tactics make it particularly effective at reaching vulnerable systems. The best defenses are caution, regular backups, and avoiding suspicious downloads — because once this ransomware strikes, recovery is often out of reach without a solid backup or decryptor.

 

 

« Back to the Virus Information Library

« Back to the Security Center