Recently, 360 Security Center has detected that the number of infected users of stop ransomware continues to increase. After traceability analysis, it has been found that stop ransomware spreads through various cracked games. Taking the GTA4 cracked version as an example, the infection process is shown in the following figure:
Technical Analysis
The latest stop ransomware uses a variety of common code obfuscation techniques to combat the anti-virus sandbox, such as using meaningless system function calls to combat some anti-virus virtual machines:
Oversized invalid loop body, avoiding some virtual machines with timeout options:
After running all the obfuscation logic, the stop ransomware will be decrypted and executed in memory:
The decrypted stop ransomware debugging path is as follows:
Stop ransomware encrypts user files and asks for ransom. The ransomware prompts are as follows:
For the analysis of stop ransomware encryption logic, please refer to https://bbs.360.cn/thread-15804568-1-1.html.
Security advice
(1) Do not use cracking software, games, etc. of unknown security.
(2) 360 Total Security can detect and block such attacks in a timely manner. It is recommended that users go to www.360totalsecurity.com to install and kill.