Websites offering cracked versions of popular software programs have recently been serving up adware bundles that secretly deliver a variant of STOP ransomware.
According to a pair of reports from Bleeping Computer founder Lawrence Abrams, the scheme came to light in December 2018 with the appearance of the malicious encryptor "Djvu" – so named because it appends one of several .djvu string variations to affected files as an extension. Determined to be a member of the STOP family, Djvu later morphed into other minor variants that appended different extensions, including. tco and .rumba.
Bleeping Computer pinpointed the attack vector after user discussions in its forums and other sites revealed a common denominator: victims were infected after visiting one of several websites where they downloaded cracked versions of software products, including Microsoft Windows-based programs, Cubase, Adobe Photoshop, antivirus software and more.
The malware wasn't hidden in the cracked software itself, but rather in the adware bundle accompanying the software as a means of generating revenue. This is likely the consequence of a bundler "turning a blind eye" toward the ransomware, Abrams wrote.
Djvu consists of four separate components that collectively serve to fool and frustrate the victim. Aided by these components, the ransomware disables Windows Defender functionality (including real-time monitoring) to facilitate the infection, and displays a fake Windows update screen to distract users during the encryption process. It also adds numerous security sites and download sites to the Windows HOSTS file to prevent victims from connecting to them for help, Bleeping Computer reports.
In the sample cited in the report, Djvu generated a note demanding a ransom payment of $980 in return for the decryption key, offering a 50 percent discount if the victim pays within the first 72 hours. But there may be a better option, as a STOP decryptor is available.