Skip to content

StopCrypt, one of the most widely distributed ransomware variants, has unveiled a new version employing sophisticated evasion tactics to avoid detection. While this ransomware strain may not make headlines as often as notorious groups like LockBit or BlackCat, its evolving capabilities demand attention from the general public and businesses alike.

The Evolution of StopCrypt

Typically targeting individuals rather than large organisations, StopCrypt has gained notoriety for its widespread distribution through malvertising, fake websites, and malware-laced free software or game cracks. Unlike ransomware gangs that steal data for leverage, StopCrypt focuses on encrypting files and demanding relatively smaller ransom payments from £400 to £1,000.

The recent variant discovered by SonicWall’s threat researchers showcases a multi-stage execution process designed to bypass security measures and achieve stealth on infected systems.

The Infection Chain Explained:

Initial Deception: The malware loads an unrelated DLL file, potentially as a diversion, and implements long time-delaying loops to circumvent time-based security controls like sandboxing.

Dynamic Tactics: StopCrypt employs dynamically constructed API calls to allocate memory with read, write, and execute permissions, making detection more challenging.

Environmental Awareness: The ransomware takes snapshots of running processes to assess its operating environment.

Process Hijacking: Through a technique called process hollowing, StopCrypt injects its malicious payload into legitimate processes, executing covertly in memory.

Persistence and Control: Once executed, the payload secures persistence by modifying access control lists (ACLs) to prevent deletion of crucial files and directories. A scheduled task ensures the payload runs every five minutes.

Encryption and Ransom Demand: Files are encrypted, and a ransom note named “_readme.txt” is created in each affected folder, providing instructions for paying the ransom.

Protecting Against StopCrypt

While the financial demands of StopCrypt may seem relatively low, the potential impact on individuals and businesses shouldn’t be underestimated. To mitigate the risk of falling victim, it’s crucial to:

  • Exercise caution when downloading software, especially from untrusted sources. Verify the authenticity of sources and scan files with updated antivirus software before opening them.
  • Implement ad blockers and script blockers in web browsers to prevent malicious advertisements from compromising systems.
  • Maintain regular backups of critical data to ensure recovery in case of a ransomware attack.
  • Keep software and operating systems up-to-date with the latest security patches to address known vulnerabilities.
  • Educate employees on identifying potential phishing attempts and other social engineering tactics used to deliver ransomware.

The evolving tactics of StopCrypt serve as a reminder that threat actors continually adapt their methods to evade detection. By staying vigilant and adopting a proactive approach to cybersecurity, individuals and businesses can better protect themselves from the damaging consequences of ransomware attacks.

Related Links: