Experts observed the STOP ransomware installing the Azorult password-stealing Trojan to steal account credentials, cryptocurrency wallets, and more.
Experts observed the ransomware also installing the dreaded Azorult password-stealing Trojan on victim’s machine to steal account credentials, cryptocurrency wallets, documents and more.
AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.
In July, the experts discovered a new sophisticated version of the AZORult Spyware that was involved in a large email campaign on July 18. In October a new version of the info-stealer appeared in the wild, it is able to steal more data, including other types of cryptocurrencies
The STOP Ransomware was first spotted in January when he was being distributed by fake software cracks in January,
The popular malware researcher Michael Gillespie observed that some recent variants of the
“When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim’s computer.” reads a blog post published by Bleepingcomputer.
“These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows’s HOSTS file.”
One of the variants analyzed by BleepingComputer encrypts data and appends the .promorad extension to encrypted files, then it creates ransom notes named _readme.txt as shown below.
Experts recommend victims who have been infected with the STOP Ransomware to immediately change the passwords to any online accounts that they used.
“Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.” concludes BleepingComputer.
The known list of STOP
.blower .djvu .infowait .promok .promorad2 .promos .promoz .puma .rumba .tro
The post STOP ransomware encrypts files and steals victim’s data appeared first on Security Affairs.