The STOP ransomware family has been circling the web for a few months now, successfully infecting victims and encrypting their files. In addition to the encryption capabilities, the ransomware is now able to install a particular password stealing Trojan known as Azorult (AZORult).
The Trojan is designed to steal various types of data such as account credentials, desktop files, cryptocurrency wallets, browser history, Skype message history, among others. Once harvested, the victim’s data in uploaded to a remote server.
More about AZORult
[wplinkpreview url=”https://sensorstechforum.com/azorult-version-3-2-spyware-ransomware/”] AZORult is an information stealer and downloader designed to harvest various sensitive details from the systems it compromises. The malware was first identified in 2016 when it was distributed as a part of an infection with Chthonic banking Trojan.AZORult spyware allows hackers to steal various kinds of sensitive data from any compromised PC. Initially, AZORult was a malware that needed another piece of malware to install and run it. However, in 2018 researchers spotted a shift in its distribution techniques.
They identified that plenty of spam email campaigns with attached RTF documents were designed to exploit known vulnerabilities and deliver the notorious spyware. Since then AZORult has been detected as part of various malspam attacks, with the latest campaign being associated with the STOP ransomware family.
STOP ransomware is downloading and executing 5.exe
According to security researcher Michael Gillespie, one of the files downloaded by the ransomware created traffic that was associated with AZORult spyware. Further analysis indicated that the .promorad variant of STOP ransomware also downloads and executes a file known as 5.exe. Upon execution, the file creates network traffic which is very similar to the command and control server communications of the AZORult stealer.
Furthermore, VirusTotal analysis of the 5.exe file indicates that 56 security engines detect it as malicious having Trojan-like behavior.
What does all of this mean to STOP ransomware victims?
All victims of the [wplinkpreview url=”https://sensorstechforum.com/remove-stop-ransomware/”] STOP ransomware family are urged to change the passwords of all their accounts. Specific attention should be paid to accounts saved in the browser, as well as Skype, Steam, Telegram, and FTP Clients accounts. Shortly said, if you have been infected by this ransomware family, you should change the passwords of all accounts you actively use.
Here are the latest iterations of STOP ransomware which are currently active in the wild:
- [wplinkpreview url=”https://sensorstechforum.com/remove-promorad-ransomware/”] .promorad Files Virus
- [wplinkpreview url=”https://sensorstechforum.com/remove-promorad2-virus-files/”] .promorad2 Files Virus
- [wplinkpreview url=”https://sensorstechforum.com/remove-promoz-files-virus/”] .promoz Files Virus
- [wplinkpreview url=”https://sensorstechforum.com/promored-files-virus-remove/”] .promored Files Virus
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: