StopCrypt, one of the most widely distributed ransomware variants, has unveiled a new version employing sophisticated evasion tactics to avoid detection. While this ransomware strain may not make headlines as often as notorious groups like LockBit or BlackCat, its evolving capabilities demand attention from the general public and businesses alike.
Typically targeting individuals rather than large organisations, StopCrypt has gained notoriety for its widespread distribution through malvertising, fake websites, and malware-laced free software or game cracks. Unlike ransomware gangs that steal data for leverage, StopCrypt focuses on encrypting files and demanding relatively smaller ransom payments from £400 to £1,000.
The recent variant discovered by SonicWall’s threat researchers showcases a multi-stage execution process designed to bypass security measures and achieve stealth on infected systems.
Initial Deception: The malware loads an unrelated DLL file, potentially as a diversion, and implements long time-delaying loops to circumvent time-based security controls like sandboxing.
Dynamic Tactics: StopCrypt employs dynamically constructed API calls to allocate memory with read, write, and execute permissions, making detection more challenging.
Environmental Awareness: The ransomware takes snapshots of running processes to assess its operating environment.
Process Hijacking: Through a technique called process hollowing, StopCrypt injects its malicious payload into legitimate processes, executing covertly in memory.
Persistence and Control: Once executed, the payload secures persistence by modifying access control lists (ACLs) to prevent deletion of crucial files and directories. A scheduled task ensures the payload runs every five minutes.
Encryption and Ransom Demand: Files are encrypted, and a ransom note named “_readme.txt” is created in each affected folder, providing instructions for paying the ransom.
While the financial demands of StopCrypt may seem relatively low, the potential impact on individuals and businesses shouldn’t be underestimated. To mitigate the risk of falling victim, it’s crucial to:
The evolving tactics of StopCrypt serve as a reminder that threat actors continually adapt their methods to evade detection. By staying vigilant and adopting a proactive approach to cybersecurity, individuals and businesses can better protect themselves from the damaging consequences of ransomware attacks.
Businesses and organisations relying on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) firewalls are being advised to take immediate action to protect…
A recent cyber attack has resulted in a serious data breach affecting the World-Check database, a critical tool used by financial institutions and other organisations…
WhatsApp, the popular messaging service owned by Meta, has become a prime target for fraudsters. A recent scam involves the manipulation of the WhatsApp’s verification…
