In addition to its capability of encrypting files, STOP Ransomware has added the AZORult trojan to its arsenal which in turn steal credentials, browser data, files, crypto wallets, and other information. Researchers downloaded a STOP Promorad Variant Sample to check for AZORult. Through this they discovered that the encrypted files were appended with the.promorad extension. The ransomware created a ransom note named _readme.txt and the Promorad variant also downloaded and executed a file named “5.exe.” This file, when executed, creates network traffic that is associated with the C&C server communications for the AZORult trojan.
Analyst Notes
If victims think they’ve been infected by STOP ransomware they should change their passwords as soon as possible. Any files stored on a Windows desktop should be secured.
