The Center noted the widespread prevalence of STOP / Djvu ransomware nationwide by investigating recent ransomware attacks. The ransomware uses the AES-256 algorithm to encrypt the files and requests between $ 1 and $ 2 ( bitcoin ) as ransom for the victim. The STOP ransomware was first seen late in the year, and Djvu is a newer version that looks similar to STOP and is now known as STOP / Djvu.

The STOP / Djvu ransom communicates with its C&C server as soon as it runs on the victim’s system and encrypts the files with an online key and uses the offline method to encrypt files if it fails for any reason. he does.

So far, a limit number of offline versions of STOP / Djvu ransomware have been decrypt under certain circumstances, but as developers of the ransomware change their style in the newer versions and use an asymmetric encryption algorithm, they are now encrypt with STOP files. / Djvu won’t be decode without the private key of the developer of the ransomware.

The ransomware uses a variety of methods, such as spam attachments, infected Windows crackers and Office products, fake drivers and updates, and exploits the RDP protocol to infiltrate and propagate itself to the victim system.

Experts say ransomware attacks such as STOP / Djvu, which is the predominant hunt for home users, have increased in the past month.

The main reasons for computers being infected are clicking on infected links, downloading malicious executables, crackers and activating software, and infected macros in Adobe and Office product files with pdf, doc, ppt extensions, and more. Tips that users can take to prevent PCs from being infected and to reduce the damage caused by ransomware attacks are:

• Back up your valuable information and keep it offline;
• Avoid suspicious messages in a variety of environments, including email, messengers and social networks ;
• Avoid downloading executable files from anonymous sources, especially crack software, including Windows activators and Office products;
• Make sure the operating system and antivirus are up to date. In many cases, antivirals are unable to detect when ransomware is installed. The reason for this is the increasing use of RaaS among today’s ransomware. The concept of RaaS, or “ransomware as a service,” is used when providing an attack platform, namely malicious files and a communications platform, and a wide range of low-knowledge attackers, with new and customized file types that no antivirus has seen so far. Is attacking;
• Always pay attention to the symptoms of ransomware contamination, such as changing the password of files, ransomware,
• drastically reducing the operating system speed, and so on, and if you see suspected contamination, consult a qualified consultant before taking any action.

STOP Djvu Ransomware Description

The STOP ransomware family, also denominated the STOP Djvu Ransomware family, is a threatening piece of malware.

The STOP Djvu is just one of the multiple threats that share common characteristics and originate from the STOP ransomware,

even though some of their methods to affect file types and encrypt file extensions differ.

The original STOP Ransomware was spotted by security researchers as early as February 2018.

However,

since then it has evolved, and its family of clones and offshoots has grown. The primary method of distribution of the STOP ransomware was spam email campaigns using corrupted attachments.

The STOP Djvu ransomware performs in a way similar to other ransomware threats of its kind, encrypting and blocking access to key files users may be utilizing in their system.

Personal files, pictures, documents and more can be encrypted and essentially disabled for all users on the machine.

STOP Djvu ransomware was first spotted back in December 2018

in what appeared to be a pretty successful campaign of infection online.

Researchers were unaware of the way the ransomware spread,

but later victims reported they were discovering infections after they were downloading keygens or cracks.

Once the infiltration occurs, STOP Djvu ransomware changes the Windows settings,

appending files with a range of names,

such as .djvu, .djvus, .djvuu, .uudjvu, .udjvu or .djvuq and the recent .promorad and .promock extensions.

The newer versions don’t have a decryptor yet, but the older ones can be decrypt using the STOPDecrypter. Users are advise to avoid paying any ransom, no matter what.

The method used to block access to the files uses the RSA encryption algorithm. Although the decryption of the files may seem hard for inexperienced users, there is definitely no need to make any effort to pay the people behind the threat. False promises are usually give in such situations, so users may quickly find out they are ignore once payments were made.

Attacks of the STOP Djvu ransomware were first reported in late 2018. The main method of distribution for the STOP Djvu remained spam emails and tweaks to the core of the ransomware were relatively minor.

The majority of fake, compromise attachments uses in the spam emails were macro-enable office documents or fake PDF files that would run the ransomware without the victim’s knowledge.

The behavior of the STOP Djvu has not change much either – the ransomware still deleting all the Shadow Volume snapshots to get rid of backups, then starts encrypting the victim’s files.

There are minor changes to the ransom note, which is save as ‘_openme.txt’ to the victim’s desktop. The text of the ransom note can be found here:

’[ransom note start]
———————— ALL YOUR FILES ARE ENCRYPTED ————————

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypt with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.

——————————————————————————————————-

To get this software you need write on our e-mail:
helpshadow@india.com

Reserve e-mail address to contact us:
helpshadow@firemail.cc

Your personal ID: [string]
[ransom note end]’

The ransomware limited itself to renaming the encrypted files with the .djvu extension originally, which was a curious choice because .djvu is actually a legitimate file format developed by the AT&T Labs and used for storing scanned documents, somewhat similar to the Adobe’s .pdf.

Later versions of the ransomware adopted a series of other extensions for encrypted files,

including ‘.chech,’ ‘.luceq,’ ‘.kroput1,’ ‘.charck,’ ‘.kropun,,’ .luces,’ ‘.pulsar1,’ ‘.uudjvu,’ ‘.djvur,’ ‘.tfude,’ ‘.tfudeq’ and ‘.tfudet’.

Certain strains of the STOP Djvu ransomware can be decrypt for free, using the so-call ‘STOPDecrypter’

that was develop by the security researcher Michael Gillespie and is available online as a free download.

Security Doesn’t Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program,

including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:

• Use an alternative browser. Malware may disable your browser. If you’re using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
• Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive,
• DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter’s malware scanner.
• Start Windows in Safe Mode. If you can not access your Window’s desktop, reboot your computer in “Safe Mode with Networking” and install SpyHunter in Safe Mode.
• IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.