skip to Main Content

A new ransomware is on the wild: Djvu. It spreads through fake cracks

There is a new ransomware on the wild, it’s dubbed Djvu and should be a variant of the STOP malware. The cyber security experts: Beware, at the moment there is no way to decrypt the files for free

There is a new ransomware on the wild, it’s dubbed Djvu. It has been reported by Bleeping Computer. The malicious code, which could be a variant of STOP, was released in the last December and has been heavily promoted through crack downloads and adware bundles. Originally, this ransomware would append a variation of the .djvu string as an extension to encrypted files, but a recent variant has switched to the .tro extension. The common theme is that most of the victims became infected after downloading a software crack. According to ID-Ransomware, the malware campaign has been very successful with many victims submitting files to their system on a daily basis. The problem, moreover, is that at the moment there is no way to decrypt the files for free. But cyber security experts community is working on this issue.

The ransomware spreads through fake cracks and adware bundles. How the malware works

According to the cyber security researchers, the malicious cracks launch the installation of the main Djvu ransomware component. First of all, it remove the definitions for Windows Defender and disable various functionality. Then, it adds many security sites to the Windows HOSTS file, so that victims are unable to connect to them for help. Including Bleeping Computer. Finally it launchs the third phase, unknown at the moment. During the process, the malware generates a unique ID for the machine, which is a MD5 of the system’s MAC address, and connect to it’s Command & Control server (C2). This would then reply back with the encryption key, that should be used to encrypt a victim’s files. The ransomware will now start to encrypt the computer files (all, including executables). At the same time it will execute the updatewin.exe to display a fake Windows Update screen, in order distract the victim.

The ransomware will be launched at different intervals to encrypt all the computer files, new included. The cybercrime gang offers 50% discount on the ransom if contacted within 72 hours

The Djvu ransomware, moreover, creates a scheduled task named “Time Trigger Task”. This task will launch the malware at different intervals. This in order to encrypt any new files that are created or imported by the user. Meanwhile, it will drop ransom notes named _openme.txt in each folder that files are encrypted. The note will contain information regarding what happened to the victim’s files and two email addresses that they should contact in order to receive payment instructions. As usual, the cybercrime gang offers to decrypt one file (with no sensitive info inside) for free, to give “guarantees”. And if the victim would contact the malicious hackers within 72 hours, he will have a 50% discount on the ransom.

Back To Top