{"id":9807,"date":"2022-08-02T20:24:23","date_gmt":"2022-08-02T20:24:23","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=9807"},"modified":"2022-11-04T17:33:59","modified_gmt":"2022-11-04T17:33:59","slug":"stop-djvu-ransomware-discord-redline","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/stop-djvu-ransomware-discord-redline\/","title":{"rendered":"Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer"},"content":{"rendered":"<p style=\"text-align: justify\">An infamous STOP\/Djvu ransomware adopted a new spreading tactic. According to the report of <strong>Avast Threat Labs<\/strong>, a malware intelligence group, ransomware distributors opted for Discord as a place to spread their malware.<\/p>\n<h2>STOP\/Djvu spreads in Discord, features RedStealer<\/h2>\n<p style=\"text-align: justify\">According to the latest notifications, <a href=\"https:\/\/gridinsoft.com\/ransomware\/djvu\">STOP\/Djvu ransomware is getting spread<\/a> through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but <strong>the password is very simple &#8211; 1234<\/strong>. That is a pretty typical action when users share something on social networks. However, inside this package, there is an executable file of Djvu malware &#8211; probably the <strong>.vveo and .vvew variants<\/strong>. The threat landscape touches users from Argentina, Vietnam, Turkey, and Brazil.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">New campaign spreading on Discord, distributing STOP ransomware and RedLine stealer. The file is shared as an encrypted 7zip attachment. The malware is further protected by AceCrypter and has an embedded (invalid) AVG certificate.<\/p>\n<p>&mdash; Gen Threat Labs (@GenThreatLabs) <a href=\"https:\/\/twitter.com\/GenThreatLabs\/status\/1554445050775470081?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">August 2, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p style=\"text-align: justify\">The exact file is additionally disguised &#8211; to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an <strong>invalid AVG certificate embedded<\/strong> and AceCrypter protection, making it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP\/Djvu ransomware. Earlier, they were masking their malware by a specific repacking that required special database signatures to counteract. Is the certificate just an experimental feature or a new approach &#8211; only crooks know?<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env01.webp\" alt=\"Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n<p style=\"text-align: justify\">Spreading model is also worth a separate note. Before, the Djvu gang was reportedly creating fake one-day sites with torrent downloading of popular content. Popular films, sitcoms, and new games always have a suitable disguise. However, it is a common case for the group which <strong>applies a Ransomware-as-a-service scheme<\/strong>. One distribution team may test this spreading approach.<\/p>\n<h2>STOP\/Djvu ransomware comes with RedLine stealer<\/h2>\n<p style=\"text-align: justify\">Again, the supplementary spyware is not new for Djvu ransomware. Earlier versions of this malware were carrying the legendary <a href=\"https:\/\/howtofix.guide\/azorult-spyware-comes-with-djvu-ransomware\/\" target=\"_blank\" rel=\"noopener nofollow\">Azorult spyware<\/a>, which appeared in 2016. Since its adoption in 2020, STOP\/Djvu group has stealthily grabbed the victims\u2019 credentials to sell them later on the Darknet. <a href=\"https:\/\/www.virustotal.com\/gui\/file\/f855a69da1b9f0c5aa4b0f566367cf6bbadec1a4b68a073b3fa83a25de14caa2\/detection\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">RedLine is younger<\/a> &#8211; it is active since 2020 &#8211; and has several unique features that possibly make it more desirable for the developers. Again, whether such a change is temporal or not is unclear &#8211; <strong>Azorult and RedLine have similar functionality<\/strong>. The worst part is that victims should still change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.<\/p>\n<figure id=\"attachment_9810\" aria-describedby=\"caption-attachment-9810\" style=\"width: 1440px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/redline-stealer-vt.png\" alt=\"RedLine Stealer VirusTotal\" width=\"1440\" height=\"577\" class=\"size-full wp-image-9810\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/redline-stealer-vt.png 1440w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/redline-stealer-vt-300x120.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/redline-stealer-vt-1024x410.png 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/redline-stealer-vt-768x308.png 768w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\" \/><figcaption id=\"caption-attachment-9810\" class=\"wp-caption-text\">RedLine Stealer detections on VirusTotal<\/figcaption><\/figure>\n<h2>What is STOP\/Djvu ransomware?<\/h2>\n<p style=\"text-align: justify\">This ransomware family is worth saying several words about. After appearing in 2017, this ransomware quickly gained a large share of the ransomware arena. It aims at individual users and asks for <strong>$450-$900 for file decryption<\/strong>. This ransomware uses an AES-256 cipher in CFB mode and the RSA algorithm. There are several possible solutions to decrypt the files after the STOP\/Djvu ransomware attack, but most rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable &#8211; unless you pay the ransom or have your files backed up. There is also the possibility of getting your files back after the gang dissolution &#8211; but such an occasion has a pretty low possibility. STOP\/Djvu gang is running for too long to cease to exist; in the worst-case scenario, it will just decrease its activity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An infamous STOP\/Djvu ransomware adopted a new spreading tactic. According to the report of Avast Threat Labs, a malware intelligence group, ransomware distributors opted for Discord as a place to spread their malware. STOP\/Djvu spreads in Discord, features RedStealer According to the latest notifications, STOP\/Djvu ransomware is getting spread through the malicious spam messages in [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":11644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[861,55,269],"class_list":{"0":"post-9807","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-discord","9":"tag-ransomware","10":"tag-ransomware-attack"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/ransomware.djvu_.jpg","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=9807"}],"version-history":[{"count":6,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9807\/revisions"}],"predecessor-version":[{"id":11642,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9807\/revisions\/11642"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/11644"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=9807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=9807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=9807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}