The new strain of STOP ransomware also downloads and installs Azorult, an info-stealing trojan that is capable of harvesting the most sensitive data
STOP ransomware was observed downloading and installing Azorult password-stealing trojan, as seen by security researchers. The combined payload is capable not only locking personal files on victims' machines, but also stealing such sensitive data like crypto-wallet information, all the passwords stored on the computer, account details, and much more.
STOP ransomware is one of the most prevalent cyber threats that lock users' files and demand ransom in recent time, with such strains like Djvu, Keypass, and others showing up consistently. Many of the virus variants can be decrypted, however, although new strains provide cybercriminals with more chances of a ransom payment.
Azorult, on the other hand, focuses on a deceptive operation and stealthily harvests such data as cryptocurrency wallets, browser history, communication app history, and a variety of credentials, and then sends it off to a remote C&C server. It was first spotted back in 2016, and since then was used in a variety of malspam campaigns.
Combining both threats can allow hackers to not only expect monetary gain from ransom payments but also from selling the valuable information on the Dark Web.
It is not uncommon for two major malware strains to be distributed together. For example, not so long ago we also observed a collaboration between the infamous GandCrab ransomware and the data-stealing malware Vidar. Thus, seeing a new partnership when it comes to the illegal malware business is nothing surprising.
The new strain was first spotted in mid-January by security analysts
According to security researchers that are closely familiar with the threat, they noticed a slightly different activity within one of the malware variants – Tro. It included functionality that would allow the virus to spawn fake Windows Update windows, disable access to security sites, or even switching off security software. Back then, it was distributed with the help of malicious adware installers, so could get into many users' machines relatively easily.
Later, a renown security expert Michael Gillespie analyzed new samples of ransomware and noticed that the payload is creating traffic that is related to Azorult malware. Once the sample was downloaded, it encrypted all files with the help of encryption algorithm, appended a file extension and dropped ransom note which explained victims on how to proceed next.
Behind the scenes, the threat also downloaded a file under the name “5.exe,” which would connect to a remote server that is related to Azorult. The executable was also scanned by Vitus Total analyzer and was detected as Azorult data-stealing malware by most vendors.
Victims who have been infected with STOP ransomware variants should immediately change their passwords on all accounts
While the discovery of Azorult being installed together with STOP ransomware was made recently, it is not entirely clear how long the strain was continuing such activity. Therefore, those who have been infected with any of the malware variants, such as .djvu, .tfunde, .adobe, .promo, .kroput, .promoz, etc., should immediately change their passwords on such platforms like Steam or Skype, as they are most likely to be stolen.
Additionally, users should also make sure that none of the illegal banking transactions were made in the meantime, as well as check their cryptocurrency wallet data.
For the future, users should also rely on passwords managers to protect all their online accounts. Reputable security software can simply stop most of the malware strains, such as STOP ransomware, along with Azorult data-stealing trojan.