STOP/DJVU Ransomware Vaccine

struppigel

Moderator
Thread author
Verified
Staff member
Well-known
Apr 9, 2020
524
We created a small tool that applies a vaccine to protect a system from STOP ransomware.

The vaccine works for current versions of STOP/DJVU ransomware. It prevents encryption of the files but not the infection itself.
If STOP ransomware infects a system with the vaccine, it will still place ransom notes and may change system settings, but it will not encrypt.
The ransom notes will display a message that the vaccine prevented encryption instead of the personal id.


Authors: John Parol and Karsten Hahn
 
Last edited:

SeriousHoax

Level 42
Verified
Top poster
Well-known
Mar 16, 2019
3,198
Thanks for sending it in @SeriousHoax .
Generally, I do think it is alright to detect those. After all vaccines by nature recreate parts of a malware on the system that should be removed by AV in case of a real infection. That's in general a problem with vaccines.
Oh, I see. But good to see that no popular mainstream AV at the moment is detecting it on VirusTotal. I also added a comment on VT to clarify that it's a safe file.
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,042
Now on Bleeping Computer:
German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims' files after infection.

"This tool does not prevent the infection itself. STOP ransomware will still place ransom notes and may change settings on the systems," G DATA malware analysts Karsten Hahn and John Parol explained.

"But STOP ransomware will not encrypt files anymore if the system has the vaccine. Instead of a personal ID, the ransom notes will contain a string that files were protected by the vaccine."

You can download the STOP Ransomware vaccine here, as a compiled .EXE or Python script.

This vaccine may cause your security software to believe your system is infected since it works by adding files the malware usually deploys on infected systems to trick the ransomware the device was already compromised.

While a decryptor was also released for STOP Ransomware in October 2019 by Emsisoft and Michael Gillespie to decrypt files encrypted by 148 variants for free, it no longer works with newer variants. Hence, G DATA's vaccine is your best bet if you want protection against this ransomware strain.
 

Dave Russo

Level 17
Verified
Top poster
May 26, 2014
800
For me smart screen pop up warned do not run, (I did anyway) but Kaspersky let download through with no alert. Virus Total
Antiy-AVL
Trojan/Generic.ASMalwS.34CE845
Cynet
Malicious (score: 100)
Jiangmin
Trojan.Agentb.kqi
McAfee-GW-Edition
BehavesLike.Win64.Generic.wc
Zillya
Trojan.Agent.Script.1642598
 

struppigel

Moderator
Thread author
Verified
Staff member
Well-known
Apr 9, 2020
524
One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

32bit.png
 

SeriousHoax

Level 42
Verified
Top poster
Well-known
Mar 16, 2019
3,198
One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

View attachment 262722
If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.
 

struppigel

Moderator
Thread author
Verified
Staff member
Well-known
Apr 9, 2020
524
If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.

I am not sure why and can only guess.

As a malware author you might prefer to create a 32 bit file to cover a wider range of susceptible systems that includes all the outdated ones (32 bit also works on 64 bit machines, so this is the better option in regards to mass targetting malware). Also 32 bit malware has been around far longer in general. So for many malware families the AV systems only see 32 bit versions.

For performance reasons almost all signature based detections are tied to file types. 32 bit PE files are handled differently than 64 bit (they need slightly different parsing). So the signatures that were created for 32 bit malware only work on 32 bit files, thus can only have false positives on 32 bit files.