STOP Ransomware Installing Password Stealing Trojans on Victims
(Mar 10, 2019)
The ransomware family, "STOP," has been seen to have added more capabilities to its most recent variant that now also installs the "AZORult" password-stealing trojan onto the victim's computer to steal account credentials, cryptocurrency wallets, desktop files, amongst others. The ransomware is distributed by a fake software update with a Windows Update screen pop-up appearing, whilst it disables Windows Defender and blocks access to security sites.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Suspicious updates, attachments, and links should not be followed or opened, if you receive one via email from an unknown user or the update is not signed by the official organisation. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.