Home StopCrypt unleashes stealthy new variant that evades detection

StopCrypt unleashes stealthy new variant that evades detection

March 18th —  One of the most prevalent ransomware groups of 2023, known as StopCrypt, has revealed its new ransomware variant, which leverages sophisticated evasion tactics.

This StopCrypt development was brought to light last week. According to a new report, the ransomware family has become more common than LockBit. In contrast with other ransomware groups, StopCrypt typically targets smaller businesses, demanding an average ransom payment of just $619.

New StopCrypt strain

The multi-stage shellcode deployment process employed by the new StopCrypt strain incorporates a range of evasion techniques, including a long delay loop, dynamic API resolution and the insidious practice of process hollowing, which involves replacing legitimate code (within an executable) with malicious code.

Malware functionality

The new malware proceeds with its covert mission by copying the same data to a location over 65 million times, in a delay loop. This is likely an attempt to circumvent time-sensitive anti-virus mechanisms, like sandboxing.

Subsequently, the variant employs multiple stages of dynamic API resolution, calling APIs at runtime rather than linking them directly. This tactic prevents anti-virus software from detecting artifacts created by direct API calls from static links within the malware code.

After taking a snapshot of the current process, extracting information and allocating memory with read, write and execute permissions, the malware enters a second stage where it dynamically calls additional APIs to perform process hollowing.

Leveraging the Ntdll_NtWriteVirtualMemory function, the malicious code is written into a suspended process created with kernel32_CreateProcessA. When this suspended process resumes, the final ransomware payload launches icacls.exe, modifying access control lists to prevent the ability to modify or delete a new directory and files created by StopCrypt.

The ransomware then proceeds to encrypt the user’s files, appending the extension “.msjd.” The ransom note found in the studied variant includes demand for $980, with a “discount” offer of $490 if the victim contacts the threat actor within 72 hours.

StopCrypt evolution

Notably, this new StopCrypt variant bears striking similarities to a strain discovered by researchers last year, which was initially submitted through VirusTotal. These similarities include the distinctive “.msjd” file extension and the ransom note, including the threat actor’s contact information.

As the cyber threat landscape continues to evolve, new ransomware variants like StopCrypt serve as a reminder of the fact that cyber security professionals must also evolve prevention and defense strategies and tactics on a routine basis.

For more insights into this story, please click here. To learn more about the latest in ransomware prevention, please click here.

Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.