STOP/DJVU Ransomware Vaccine

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
We created a small tool that applies a vaccine to protect a system from STOP ransomware.

The vaccine works for current versions of STOP/DJVU ransomware. It prevents encryption of the files but not the infection itself.
If STOP ransomware infects a system with the vaccine, it will still place ransom notes and may change system settings, but it will not encrypt.
The ransom notes will display a message that the vaccine prevented encryption instead of the personal id.


Authors: John Parol and Karsten Hahn
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Thanks for sending it in @SeriousHoax .
Generally, I do think it is alright to detect those. After all vaccines by nature recreate parts of a malware on the system that should be removed by AV in case of a real infection. That's in general a problem with vaccines.
Oh, I see. But good to see that no popular mainstream AV at the moment is detecting it on VirusTotal. I also added a comment on VT to clarify that it's a safe file.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Now on Bleeping Computer:
German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims' files after infection.

"This tool does not prevent the infection itself. STOP ransomware will still place ransom notes and may change settings on the systems," G DATA malware analysts Karsten Hahn and John Parol explained.

"But STOP ransomware will not encrypt files anymore if the system has the vaccine. Instead of a personal ID, the ransom notes will contain a string that files were protected by the vaccine."

You can download the STOP Ransomware vaccine here, as a compiled .EXE or Python script.

This vaccine may cause your security software to believe your system is infected since it works by adding files the malware usually deploys on infected systems to trick the ransomware the device was already compromised.

While a decryptor was also released for STOP Ransomware in October 2019 by Emsisoft and Michael Gillespie to decrypt files encrypted by 148 variants for free, it no longer works with newer variants. Hence, G DATA's vaccine is your best bet if you want protection against this ransomware strain.
 

Dave Russo

Level 21
Verified
Top Poster
Well-known
May 26, 2014
1,041
For me smart screen pop up warned do not run, (I did anyway) but Kaspersky let download through with no alert. Virus Total
Antiy-AVL
Trojan/Generic.ASMalwS.34CE845
Cynet
Malicious (score: 100)
Jiangmin
Trojan.Agentb.kqi
McAfee-GW-Edition
BehavesLike.Win64.Generic.wc
Zillya
Trojan.Agent.Script.1642598
 

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

32bit.png
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
One person requested a 32 bit version, so I added this to the releases as well.
This one is even worse in regards to detections.

View attachment 262722
If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.
 

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
If you don't mind, can you briefly explain why often 32bit versions of some files are detected while 64bit aren't? In my very short experience I've seen this happening a lot, mostly with Avast, Microsoft and Symantec/Norton among popular products.

I am not sure why and can only guess.

As a malware author you might prefer to create a 32 bit file to cover a wider range of susceptible systems that includes all the outdated ones (32 bit also works on 64 bit machines, so this is the better option in regards to mass targetting malware). Also 32 bit malware has been around far longer in general. So for many malware families the AV systems only see 32 bit versions.

For performance reasons almost all signature based detections are tied to file types. 32 bit PE files are handled differently than 64 bit (they need slightly different parsing). So the signatures that were created for 32 bit malware only work on 32 bit files, thus can only have false positives on 32 bit files.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top