U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

STOP ransomware encrypts files and steals victim’s data

Experts observed the STOP ransomware installing the Azorult password-stealing Trojan to steal account credentials, cryptocurrency wallets, and more. The STOP ransomware made the headlines because it is installing password-stealing Trojans on the victims’ machines. Experts observed the ransomware also installing the dreaded Azorult password-stealing Trojan on victim’s machine to steal account credentials, cryptocurrency wallets, documents […]

Stop ransomware

Experts observed the STOP ransomware installing the Azorult password-stealing Trojan to steal account credentials, cryptocurrency wallets, and more.

The STOP ransomware made the headlines because it is installing password-stealing Trojans on the victims’ machines.

Experts observed the ransomware also installing the dreaded Azorult password-stealing Trojan on victim’s machine to steal account credentials, cryptocurrency wallets, documents and more.

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

In July, the experts discovered a new sophisticated version of the AZORult Spyware that was involved in a large email campaign on July 18. In October a new version of the info-stealer appeared in the wild, it is able to steal more data, including other types of cryptocurrencies

The STOP Ransomware was first spotted in January when he was being distributed by fake software cracks in January,

The popular malware researcher Michael Gillespie observed that some recent variants of the ransomare were generating traffic to infrastructure previously associated with the Azorul infection.

“When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim’s computer.” reads a blog post published by Bleepingcomputer.

“These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows’s HOSTS file.”

One of the variants analyzed by BleepingComputer encrypts data and appends the .promorad extension to encrypted files, then it creates ransom notes named _readme.txt as shown below.

Stop ransomware

The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe and executed it. Once executed it attempt to communicate with C2 servers also associated with the Azorult Trojan.

Experts recommend victims who have been infected with the STOP Ransomware to immediately change the passwords to any online accounts that they used.

“Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.” concludes BleepingComputer.

The known list of STOP ransomware extensions includes:

.blower
.djvu
.infowait
.promok
.promorad2
.promos
.promoz
.puma
.rumba
.tro
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – STOP ransomare, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]