STOP/DJVU Ransomware Vaccine

[struppigel]

We created a small tool that applies a vaccine to protect a system from STOP ransomware.

The vaccine works for current versions of STOP/DJVU ransomware. It prevents encryption of the files but not the infection itself.
If STOP ransomware infects a system with the vaccine, it will still place ransom notes and may change system settings, but it will not encrypt.
The ransom notes will display a message that the vaccine prevented encryption instead of the personal id.

Release STOP/DJVU Vaccine v1.0 · struppigel/STOP-DJVU-Ransomware-Vaccine

Version 1.0 of vaccine

github.com

Authors: John Parol and Karsten Hahn

 

[Freud2004]

Made by struppigel

 

[SeriousHoax]

Awesome
Currently, it's being detected by Microsoft Defender as "Trojan:Win32/Sabsik.FL.A!ml". But I submitted it as a false positive to them, so should be fixed soon.

 

[struppigel]

Thanks for sending it in @SeriousHoax .
Generally, I do think it is alright to detect those. After all vaccines by nature recreate parts of a malware on the system that should be removed by AV in case of a real infection. That's in general a problem with vaccines.

 

[SeriousHoax]

Thanks for sending it in @SeriousHoax .
Generally, I do think it is alright to detect those. After all vaccines by nature recreate parts of a malware on the system that should be removed by AV in case of a real infection. That's in general a problem with vaccines.

Oh, I see. But good to see that no popular mainstream AV at the moment is detecting it on VirusTotal. I also added a comment on VT to clarify that it's a safe file.

 

[Gandalf_The_Grey]

Now on Bleeping Computer:

German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims' files after infection.

"This tool does not prevent the infection itself. STOP ransomware will still place ransom notes and may change settings on the systems," G DATA malware analysts Karsten Hahn and John Parol explained.

"But STOP ransomware will not encrypt files anymore if the system has the vaccine. Instead of a personal ID, the ransom notes will contain a string that files were protected by the vaccine."

You can download the STOP Ransomware vaccine here, as a compiled .EXE or Python script.

This vaccine may cause your security software to believe your system is infected since it works by adding files the malware usually deploys on infected systems to trick the ransomware the device was already compromised.

While a decryptor was also released for STOP Ransomware in October 2019 by Emsisoft and Michael Gillespie to decrypt files encrypted by 148 variants for free, it no longer works with newer variants. Hence, G DATA's vaccine is your best bet if you want protection against this ransomware strain.

STOP Ransomware vaccine released to block encryption

German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims' files after infection.

www.bleepingcomputer.com

 

[Dave Russo]

For me smart screen pop up warned do not run, (I did anyway) but Kaspersky let download through with no alert. Virus Total
Antiy-AVL
Trojan/Generic.ASMalwS.34CE845
Cynet
Malicious (score: 100)
Jiangmin
Trojan.Agentb.kqi
McAfee-GW-Edition
BehavesLike.Win64.Generic.wc
Zillya
Trojan.Agent.Script.1642598

 

[struppigel]

One of the reasons I decided to publish this open source is so everyone can see what it does. ¯\_(ツ)_/¯

 

[struppigel]

One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

VirusTotal

VirusTotal

www.virustotal.com

 

[SeriousHoax]

One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

VirusTotal

VirusTotal

www.virustotal.com

View attachment 262722

If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.

 

[struppigel]

If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.

I am not sure why and can only guess.

As a malware author you might prefer to create a 32 bit file to cover a wider range of susceptible systems that includes all the outdated ones (32 bit also works on 64 bit machines, so this is the better option in regards to mass targetting malware). Also 32 bit malware has been around far longer in general. So for many malware families the AV systems only see 32 bit versions.

For performance reasons almost all signature based detections are tied to file types. 32 bit PE files are handled differently than 64 bit (they need slightly different parsing). So the signatures that were created for 32 bit malware only work on 32 bit files, thus can only have false positives on 32 bit files.

 

[icotonev]

Hi Кarsten ..! Due to some official commitments I had not come here ... I want to congratulate you on the instrument ..! Good job..!

 

[fredvries]

Maybe you can add a ReadMe, HowTo, and ChangeLog.

That would help

 

[struppigel]

Maybe you can add a ReadMe, HowTo, and ChangeLog.

That would help

You find the readme on the main project page: GitHub - struppigel/STOP-DJVU-Ransomware-Vaccine: Vaccine for STOP/DJVU ransomware, prevents encryption
There is no changelog because no changes have been done yet.