Threat Management, Malware, Ransomware

Downloads of cracked software distribute ransomware via adware bundles

Websites offering cracked versions of popular software programs have recently been serving up adware bundles that secretly deliver a variant of STOP ransomware.

According to a pair of reports from Bleeping Computer founder Lawrence Abrams, the scheme came to light in December 2018 with the appearance of the malicious encryptor "Djvu" – so named because it appends one of several .djvu string variations to affected files as an extension. Determined to be a member of the STOP family, Djvu later morphed into other minor variants that appended different extensions, including. tco and .rumba.

Bleeping Computer pinpointed the attack vector after user discussions in its forums and other sites revealed a common denominator: victims were infected after visiting one of several websites where they downloaded cracked versions of software products, including Microsoft Windows-based programs, Cubase, Adobe Photoshop, antivirus software and more.

The malware wasn't hidden in the cracked software itself, but rather in the adware bundle accompanying the software as a means of generating revenue. This is likely the consequence of a bundler "turning a blind eye" toward the ransomware, Abrams wrote.

Djvu consists of four separate components that collectively serve to fool and frustrate the victim. Aided by these components, the ransomware disables Windows Defender functionality (including real-time monitoring) to facilitate the infection, and displays a fake Windows update screen to distract users during the encryption process. It also adds numerous security sites and download sites to the Windows HOSTS file to prevent victims from connecting to them for help, Bleeping Computer reports.

In the sample cited in the report, Djvu generated a note demanding a ransom payment of $980 in return for the decryption key, offering a 50 percent discount if the victim pays within the first 72 hours. But there may be a better option, as a STOP decryptor is available.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.