StopCrypt: Most Widely Distributed Ransomware Now Evades Detection

StopCrypt (aka STOP) ransomware, known to be one of the most distributed ransomware strains out there, has recently been updated to evade security tools. The development comes after SonicWall’s threat team uncovered a new variant of the STOP ransomware which now employs a multi-stage execution process to bypass defenses. Researchers note that during the initial execution of STOP ransomware, the new strain creates an unrelated DLL file and employs a series of time-delayed loops, where the same data is repeatedly copied to a location. The DLL file seems to be a diversion while the loops are likely a method employed to bypass time-sensitive sandboxes and security mechanisms.

The next part of the execution process involves the construction of dynamic API calls which can be used for various operations such as taking snapshots of running processes on the victim’s environment for reconnaissance purposes. Researchers note that the use of dynamic API calls over straightforward APIs aids in making detection difficult. With the help of these API calls, STOP ransomware will then employ process hollowing (a method used to evade process-based defenses) and inject its payload into the memory of legitimate system processes for execution. Once the ransomware payload is executed, a series of steps are carried out to ensure persistence and a successful operation. This includes the modification of access control lists (ACLs) to deny users permission to delete important malware files and directories as well as the creation of scheduled tasks to execute the payload every five minutes.

Security Officer Comments:
STOP ransomware initiated operations in 2018. Unlike other notorious ransomware groups like LockBit or BlackCat which target businesses and large corporations, actors behind STOP typically go after consumers, demanding small ransom payments between $400 to $1000. This approach of targeting consumers and issuing small ransoms from victims has enabled STOP ransomware to operate under the radar for the last couple of years while at the same time generating millions of dollars. Since 2018, several versions of STOP ransomware have been released. Notably, no significant updates were made to the strain until recently, with the developers mainly fixing critical problems. The introduction of a new stealthy version of STOP ransomware will enable operators of the strain to launch more successful attacks and rack in additional funding.

Suggested Corrections:
STOP ransomware is typically distributed via shady sites hosting downloads for free software, game cheats, and software cracks. With the help of Google ads, actors behind the operation have been able to bring in more attraction to these sites and infect unsuspecting users. Given the success rate of this method, end users should avoid using pirated software and initiating downloads from third-party sites. When looking for a particular software, it is also important to avoid results on Google labeled as “sponsored” and defer to the official vendor’s site.