Emsisoft released a free decryption tool for the STOP (Djvu) ransomware [securityaffairs]
by CIRT Team
Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.
STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.
According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.
For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.
“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’skeystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.
The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.
The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.
The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.
The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.
Below key findings shared by the company:
- The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
- STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
- The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know).
- Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below.
For more, click here.