BleepingComputer reports that the StopCrypt ransomware, also known as STOP Djvu, has been upgraded with a new multi-stage execution process to better circumvent detection by security systems.
Intrusions with the updated variant of StopCrypt commence with the loading of a mysterious DLL file and an extended time-delaying loop in a bid to evade security protections, which are further bypassed with dynamic API calls, a report from SonicWall revealed. StopCrypt then conducts process hollowing involving various API calls to enable the payload injection process before facilitating additional malicious activity that includes access control list compromise, ransomware persistence, scheduled task creation, and periodic payload execution. Such changes to StopCrypt, which is regarded as the most prevalently deployed ransomware owing to its elevated distribution via free and cracked software, represent a significant threat to its victims despite the ransomware operation's relatively low monetary demands and lack of data exfiltration capabilities, according to researchers.
