STOP ransomware, extra widespread than LockBit, positive aspects stealthier variant – Cyber Tech

StopCrypt, the most typical ransomware household of 2023, has a brand new variant leveraging extra superior evasion techniques.

StopCrypt, often known as STOP/DJVU, surpassed the LockBit ransomware household in detections in 2023, in accordance with Development Micro’s 2023 Annual Cybersecurity Report printed final week. STOP usually targets smaller targets with a mean ransom fee measurement of $619 within the first half of 2023, in accordance with a mid-year report by Chainalysis.

SonicWall reported Tuesday {that a} new StopCrypt variant employes a number of evasion techniques in a multi-stage shellcode deployment course of, together with a protracted delay loop, dynamic API decision and course of hollowing, or the substitute of code in a reliable executable to malicious code.

‘Msjd’ StopCrypt ransomware makes an attempt to dodge anti-virus safety

The StopCrypt variant studied by SonicWall’s Seize Labs begins its stealth mission by copying the identical information to a location greater than 65 million instances in a delay loop probably meant to dodge time-sensitive anti-virus mechanisms comparable to sandboxing.

It then employs a number of phases of dynamic API decision — calling APIs at runtime somewhat than linking them instantly. This prevents anti-virus detection of artifacts created by direct API calls from static hyperlinks within the malware code.  

After taking a snapshot of the present processes utilizing CreateToolHelp32Snapshot, extracting info utilizing Module32First, and calling VirtualAlloc to allocate reminiscence with learn, write and execute permissions, the malware enters a second stage by which it dynamically calls extra APIs to carry out course of hollowing.

Ntdll_NtWriteVirtualMemory is used to write down malicious code right into a suspended course of created with kernel32_CreateProcessA.

When the suspended course of is resumed, the ultimate ransomware payload launches icacls.exe to change entry management lists to forestall the power to change or delete a brand new listing and recordsdata created by StopCrypt. The ransomware encrypts the consumer’s recordsdata and provides the extension “.msjd.”

The ransomware observe discovered within the variant studied by SonicWall features a demand for $980, with a “low cost” supply of $490 if the sufferer contacts the risk actor inside 72 hours.

The STOP variant described by SonicWall bears similarities to a variant found by PCrisk researchers final 12 months, which was initially submitted by VirusTotal. Similarities embody the “.msjd” file extension and the ransom observe, together with the risk actor’s contact info.