![]() The DJVU/STOP ransomware family employs the AES-256 encryption algorithm. Granting hackers remote control over the victim’s computer for various malicious activities.Accessing and manipulating files on the victim’s computer.Extracting sensitive information such as browser cookies, saved passwords, and browsing history.Downloading and executing malware on the infected computer.Targeting cryptocurrency wallets for theft.Stealing login credentials for platforms like Steam, Telegram, and Skype.Variants of the STOP/DJVU ransomware are known to deploy the Vidar password-stealing Trojan on compromised systems, which possesses an extensive range of capabilities, including: The virus also creates two text files on the victim’s computer, namely bowsakkdestx.txt and PersonalID.txt, which contain attack-related details such as the victim’s public encryption key and personal ID.Īfter implementing these modifications, the malware continues to wreak havoc. ![]() This indicates that the cybercriminals aim to impede the victim’s access to relevant and helpful information regarding ransomware attacks by restricting specific domains. It has been observed that the ransomware attempts to block websites that publish instructional guides for computer users. As a result, when the victim attempts to access any of the blocked websites, they will encounter a DNS_PROBE_FINISHED_NXDOMAIN error. Moreover, the ransomware modifies the Windows HOSTS file by adding a list of domains and mapping them to the localhost IP. The ransomware operators deliberately eliminate Windows OS-based methods that could potentially assist the victim in file restoration free of charge. Additionally, the ransomware executes the following CMD command to delete Volume Shadow Copies from the system: vssadmin.exe Delete Shadows /All /Quietīy deleting the Volume Shadow Copies, the ransomware prevents the victim from restoring the computer to a previous state using System Restore Points. Simultaneously, another process with a random four-character name scans the system for target files and encrypts them. This misleading tactic aims to make the victim believe that a sudden system slowdown is due to a legitimate Windows update. ![]() One of the initial processes launched is winupdate.exe, which displays a deceptive Windows update prompt during the attack. The Ahtw ransomware operates through a series of processes designed to carry out various tasks on the victim’s computer. _readme.txt (STOP/DJVU Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded files contains these frustrating warnings To remove possible malware infections, scan your PC:
0 Comments
Leave a Reply. |