April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emerging Black Basta Ransomware 2.0 – Active IOCs
December 6, 2022Rewterz Threat Alert – LockBit Ransomware – Active IOCs
December 7, 2022Rewterz Threat Alert – Emerging Black Basta Ransomware 2.0 – Active IOCs
December 6, 2022Rewterz Threat Alert – LockBit Ransomware – Active IOCs
December 7, 2022
Severity
High
Analysis Summary
The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent sites and other platforms in software crack packages and adware bundles. The STOP/DJVU ransomware is a Trojan that encrypts files. It infiltrates your computer invisibly and encrypts all of your data, making them unavailable to you. It leaves a ransom letter warning which demands money in exchange for decrypting your data and making them available to you again. Malware is delivered via cracked applications, fake set-up apps keygens, activators, and Windows updates. It does not utilize local information like keyboard layouts or timezone settings to prevent infecting victims in certain countries; instead, it uses the information returned by a request to https[:]//api.2ip.ua/geo.json. The card’s MAC address is utilized to provide unique identification for the system. This identity is provided to STOP’s command and control server, which responded with an RSA-2048 public key for encryption. Additional malware, including an information stealer known as Vidar, is then downloaded and installed
Impact
- Information Theft
- File Encryption
Indicators of Compromise
MD5
df6b685b852da59e784fd18ffa9eb9e5
1b49e27f89805075fd9572449ed2fdab
SHA-256
9c0eee406891dd011567fa78fbd7ef0870213e69b52e5e7453559965abd5d209
2262bb38413e35bc46b83cd0b68a0fce2cd47988f8ccca14be63f8fd74171364
SHA-1
7bd3459c36f4f1bebf55c961160d6bcdc6e9690c
f5a811e69beec50f54e57992c9d31c2c96b52a2e
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders
