Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection


Level 34
Thread author
Top Poster
Content Creator
Malware Tester
Sep 2, 2021
A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.

StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that you rarely hear about.

While you constantly hear how big some ransomware operations are, such as LockBit, BlackCat, and Clop, you rarely hear security researchers discussing STOP.

That is because this ransomware operation does not typically target businesses but rather consumers, hoping to generate tens of thousands small $400 to $1,000 ransom payments instead of one large multi-million-dollar demand.

The ransomware is commonly distributed via malvertising and shady sites distributing adware bundles disguised as free software, game cheats and software cracks.

However, when these programs are installed, the users become infected with a variety of malware, including password stealing trojans and STOP ransomware.

This leads infected users to desperately reach out to security researchers, ransomware experts, and our 807-page STOP ransomware forum topic to try and receive help.

Since its original release in 2018, the ransomware encryptor has not changed much, with new versions mostly released to fix critical problems.

For this reason, when a new STOP version is released, it bears watching due to the large number of people who will be affected by it.

New multi-staged execution​

SonicWall's threat research team has uncovered a new variant of the STOP ransomware (they call it StopCrypt) in the wild that now utilizes a multi-stage execution mechanism.

Initially, the malware loads a seemingly unrelated DLL file (msim32.dll), possibly as a diversion. It also implements a series of long time-delaying loops that may help bypass time-related security measures.

Next, it uses dynamically constructed API calls on the stack to allocate the necessary memory space for read/write and execution permissions, making detection harder.

StopCrypt uses API calls for various operations, including taking snapshots of running processes to understand the environment in which it's operating.

The next stage involves process hollowing, where StopCrypt hijacks legitimate processes and injects its payload for discreet execution in memory. This is done through a series of carefully orchestrated API calls that manipulate process memory and control flow.

Once the final payload is executed, a series of actions takes place to secure persistence for the ransomware, modify access control lists (ACLs) to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes.


To support the news, I've retrieved an updated sample of STOP/DJVU, its VirusTotal

Victor M

Level 9
Oct 3, 2022
I believe that cyber attacks to home users are Vastly under-reported. It just doesn't have that oh-my-god element.


Level 39
Top Poster
Apr 1, 2019
I believe that cyber attacks to home users are Vastly under-reported. It just doesn't have that oh-my-god element.
I think it’s kind of the opposite. Why waste a good variant that’ll get picked up in telemetry on a bunch of people who can’t pay much ransom? Corporations fork out exponentially more to get their systems back.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.