STOP (DJVU) Ransomware Family

Tomas Meskauskas
Aug 22, 2019 · 6 min read

STOP, Puma, DJVU, Drume, and StopData are merely a few names given to a ransomware family that has proved to be a thorn in the side of system administrators and security researchers alike. To compound the problem further the family has issued numerous extensions to illustrate encrypted files. The following is a small list, by no means is it complete, here are a number of extensions used by the malware operators when encrypting files: .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, prandel, .zatrov, .masok, .brusaf, londec, .krusop, .mtogas, .masodas and over 150 other extensions.

The sheer number of extensions used adds an added level of difficulty in combatting the infection. For users, it becomes difficult to find out exactly what ransomware they are infected with. This obviously impacts negatively on remediation. Another factor which makes combatting the family more difficult is the lack of information and analysis about the family. When the WannaCry ransomware struck it made international headlines despite the infection window, while being incredibly virulent due to the incorporation of a worm-like module, was short.

The STOP family has been operating with a fair amount of stealth and impunity for several years. Typically it is distributed in shorter campaigns then disappears for a bit, then infections will spike sometime in the future when a new campaign begins. Such tactics have helped malware operators remain under the radar, only been discovered when it is too late. The article which follows looks to do a deeper dive into the history of the ransomware family and what to do if infected. Luckily due to the hard work of security researchers like Michael Gillespie and others, free decryptors have been published to help those whose files have been illegally encrypted.

A Less Than Illustrious History

The ransomware was discovered by Marcelo Rivero who subsequently posted his findings on Twitter. Another early mention of the ransomware family that could be found occurred in 2016 with a security firm warning users who used a certain Windows activator that a false pretender to the activator throne was actively been circulated. The fake activator, it was feared, was distributing ransomware. The ransomware in question used the .domino extension. This may have been the father to the family we now know as STOP. Infections continued to trickle in but this period may be when the developers of the malware will still planning out their evil empire.

Screenshot of file encrypted by ransomware from STOP/Djvu family:

file encrypted by Stop/Djvu ransomware
file encrypted by Stop/Djvu ransomware

Towards the end of 2018 another security firm was detecting a new campaign of the STOP ransomware. Again the ransomware was distributed via a Windows activator. In this instance the extension used was .KEYPASS. While there was some doubt as to whether the previous attack was a prototype STOP variant, it was now becoming clearer to security researchers that they were probably dealing with a family. There were too many similarities to the previous variant to ignore, from the distribution method. .KEYPASS was spread by exploiting the same activator as in the previous attack. Researchers were able to uncover more information regarding the specifics of the ransomware family. The ransomware only processes the first 0x500000 bytes of the file and would proceed no further with the encryption on larger files. This would help researchers later be able to decrypt encrypted files. Further, the ransomware used an AES encryption algorithm, commonly used in ransomware development.

Screenshot of a ransom demanding message:

stop/djvu ransom demanding message
stop/djvu ransom demanding message

Even with the possibility of decryption, it would take hours of work to do so. That’s not even considering the technical nature of the work involved, which would be beyond the vast majority of users. Despite the chance of researchers been able to decrypt files encrypted, this did not slow down those behind the infections. In January of this year, more instances and detections of STOP were found. This time the attackers changed tactics, very slightly. Rather than using a popular Windows activator to trick users into downloading and installing the malware, now the attackers choose to lure victims wanting to download cracked software other than a Windows activator. In the space of a month, over 300 detections were reported, but this only includes reported cases. The number may have been far higher. This campaign included targeting those looking for a free version of Photoshop and Cubase. A few days before the ransomware family in question was seen been distributed along with an adware bundle in much the same way as mentioned above.

This time the infection was so virulent that help forums were set up to help victims in any way possible to recover the files that were lost, without having to pay the ransom to the perpetrators. One such forum has come to be a savior for many who have fallen victim to any number of the variants seen above. The forum further provides victims and those assisting victims with information on which extensions can be decrypted as well as which free decryptor should be used.

Another option to those infected is to follow one of the many removal guides available online. There are few really good resources available to those infected with one of the variants of STOP. Such resources also cater to other malware types be they banking Trojans, adware, or spyware. Such platforms have become a vital weapon in any body’s arsenal to counter malware infections.

Backup Data on Repeat

When dealing with ransomware not been infected is the ideal. While users can adopt best practices, ensure that software is regularly kept up to date, and have a reputable anti-virus package a ransomware infection can still occur, although admittedly the likelihood of such an event is drastically reduced. Data can be protected from encryption by making regular backups, however, some ransomware variants can also target backups in its encryption process. Does the question then become how to make backups immune from infection?

This is not an impossible task but does require adopting some good habits concerning backups. Ideally, backups should be done daily with at least two sets of backups done per system. This means that there must be enough storage on the device to do this. Automated backups can go a long way in helping users and employees backup data but it is important to remember that backups done to a centralized network destination are not free from potentially been infected with ransomware. External devices, like an external hard drive, are also not immune to infection. If the external hard drive is connected to the system it to can be infected, potentially rendering any daily backups useless.

While it is important to backup daily, and do the process on repeat there are a few other steps admins can take to ensure backups cannot be infected. The first of these is to unmount the backup drives. This can be done by typing “mountvol” in the administrative command line. Once a drive is unmounted it is no longer assigned a drive letter and is not viewable. The backup drive can then be mounted once the backup is run so it can be mounted, and then unmounted again after the backup is completed. Sophisticated ransomware variants may be able to bypass this procedure by scanning for all drives using “mountvol”. However, such sophistication is rare.

Another way to protect the drives backups are stored upon is set up the drive as read-only. This works as ransomware needs to be able to both read a disk and write permissions to the disk to successfully encrypt files held on the drive. If the disk is read-only. Any attempt to change a file, whether it’s renaming, encrypting, or overwriting it, will be denied by the operating system. Like with the other countermeasures listed above ransomware can issue the relevant commands to turn a read-only disk writable again. That been said such ransomware will require added levels of sophistication which is rarely seen. Cyber threat actors look to maximize profits with the least amount of effort. Including extra code which may fail is often not worth the effort. The above countermeasures are just a few measures that could be taken, and those only pertain to hard drives. There are many more measures that can be taken to better secure data, not just against ransomware but numerous other malware types.


Ransomware has become one of the most feared malware types. The fear may be justified as important data essential to company operations, or a lifetime of family memories can be lost. However, as has been seen there is hope with hard-working security researchers creating free decryptors or providing free removal guides to assist victims. With all the resources at people’s fingertips on how to prevent or remove an infection the fear of ransomware and the myth surrounding aspects of it can hopefully be put to bed.

Tomas Meskauskas

Written by

Internet security expert, editor of website, co-founder of Mac anti-malware application Combo Cleaner.

More From Medium

Also tagged Backup

Also tagged Backup

Top on Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade