STOP/DJVU is a Windows ransomware family that encrypts victim files and appends variant-specific extensions, including .hhaz, .djvuu, .ljaz, .bhtw, .bhui, .bhgr, .agho, and .vvoa. Reported samples drop ransom notes such as _readme.txt, and one analyzed STOP/DJVU sample executed as TzjwSXczmD2hOVANbz7L7Roc.exe, contacted zexeq[.]com to retrieve a public key, then encrypted files with the .hhaz extension after reboot. In that case, encrypted files contained the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5} at the end, and the ransom note was written to C:\Users\admin_readme.txt.
The malware is commonly distributed through commodity malware delivery ecosystems and cracked-software lures. Supporting reporting describes STOP ransomware being delivered via SEO-poisoned cracked software sites, password-protected archives, and XLL-based infection chains. In the analyzed "CrackedCantil" intrusion, a fake cracked IDA Pro installer initiated a multi-stage chain involving PrivateLoader and Smoke loaders, multiple stealers, a miner, Socks5Systemz, and finally STOP/DJVU ransomware. STOP has also been observed as a payload distributed by the RETADUP botnet, and reporting notes delivery alongside other malware families including information stealers, click-fraud bots, cryptominers, Conti ransomware, and Arkei.
The family is widely tracked as commodity ransomware and has been reported among the more broadly distributed ransomware families in mass campaigns. One source cited STOP ransomware as 15% of massively distributed ransomware attacks in Q1 2023. There is also reporting of an extortion email address, ondrugs@firemail.cc, being seen both in a LockBit-related incident and with STOP ransomware, though the significance of that overlap is unclear.
High-confidence indicators and artifacts mentioned in the content include zexeq[.]com, the ransom note _readme.txt, the .hhaz extension, and the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}. Variants observed by researchers append numerous other extensions, including .bhtw, .bhui, .bhgr, .agho, and .vvoa.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
During this process, the ransomware will generate a unique ID for the machine... and connect to it's Command & Control server at the url http://morgem[.]ru/test/get.php?pid=[machine_id]. The server would then reply back with the encryption key that should be used to encrypt a victim's files.
When these cracks are installed, the main installer will be installed as %LocalAppData%\[guid]\[random].exe and executed. This program is the main ransomware component and will first download the following files to the same folder: %LocalAppData%\[guid]\1.exe %LocalAppData%\[guid]\2.exe %LocalAppData%\[guid]\3.exe %LocalAppData%\[guid]\updatewin.exe
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware distributed through fake cracked-software installers and malicious download chains.
Ransomware family that encrypts files and demands payment for decryption.
A ransomware family that encrypts files, appends extensions such as .hhaz and .djvuu, drops a ransom note, retrieves a public key from C2, and uses a mutex to avoid double encryption. The article notes it works alongside infostealers to steal data before encryption.
Mass-distributed ransomware family noted as common in large-scale campaigns; operators reportedly shifting toward targeted attacks.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.