When 2017’s WannaCry ransomware attacks made mainstream headline news, it might have seemed like ransomware was a problem mainly for organizations behind in their patching. However, the landscape has dramatically shifted, and ransomware is now an “everyone, all the time” problem. As a result, ransomware groups have cropped up that primarily target individuals. STOP ransomware is one of those most prolific groups.
Because one of the first iterations of this STOP ransomware appended the .DJVU extension onto encrypted ransomed personal files, the moniker STOP/DJVU was born. There’s an exhaustive (and evolving) number of STOP/DJVU variants, with many extensions, including .bbil and .rrcc. A 2021 BitDefender report named STOP/DJVU as the second most detected ransomware in a list of more than 222 ransomware variants.
STOP/DJVU ransomware targets Windows computers, and often gains access to systems through compromised software downloads, whether pirated software or a software crack. More recently, the STOP ransomware gang has begun to target Discord users by inviting them to download tainted software. Additionally, STOP/DJVU ransomware sometimes sidecars malware that targets identity information.
When a user installs ransomware-compromised software, the malware recurses through files and directories in search of user-generated data to encrypt; the desired targets include user data like Microsoft Office documents, photos, videos, music, PDFs, and databases on Windows computers.
STOP/DJVU ransomware selectively encrypts this user data on Windows computers and leaves system.Dll files and system directories alone. Additionally, it only encrypts the first 5MB and then renames the “ransomed” files to use the extensions of that particular variant.
In crypto-ransomware attacks, the desired state is for a system to be operable enough for the victim to find their altered files and a ransom note demanding payment. STOP/DJVU’s _readme.txt ransom note demands $980 to decrypt files, with a 50% discount for acting within the first three days.
Crypto-ransomware exploits asymmetric public key cryptography. Instead of using an always private key to ensure message integrity and confidentiality, STOP/DJVU uses this key to lock users out of their data and tries to force them to pay for the private key to decrypt their data.
How To Recover from STOP/DJVU
If you have a backup of your important user data, the most desirable option is to wipe your device and recover those files to a fresh install of Windows. STOP/DJVU ransomware sometimes installs additional malware to steal sensitive data. A clean install of Windows will eliminate this.
Data was encrypted with an offline key for STOP/DJVU attacks with variants from 2019. Fortunately, this offline key meant that a recovered private key for one ransomware attack could subsequently unencrypt data for countless other users with data encrypted using that same key.
By exploiting STOP’s private key reuse in these attacks, Michael Gillipsie with Emsisoft created an open source Decryptor tool to combat STOP/DJVU ransomware encryption. Unfortunately, newer ransomware encrypts with a unique encryption key for each attack, and that decryptor tool won’t help. Additionally, obtaining someone else’s private key won’t decrypt your data, or anyone else’s.
Like anything cybersecurity related, good cyber hygiene goes a long way toward prevention. Downloading software cracks or pirated software has always been risky, but ransomware groups have become more sophisticated in their packaging signatures to evade detection. More increasingly, backing up essential data to the cloud or other external locations has become imperative to keeping data safe.