STOP Ransomware Variant Installing Azorult Infostealer

Posted on March 11, 2019
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
A variant of the STOP ransomware family is downloading the Azorult infostealer onto victim's machines as part of its infection process. Security researcher Michael Gillespie was the first to detect this malicious activity. While testing some of the crypto-malware family's newer variants, he noticed that some of them were creating traffic indicative of Azorult. Aside from stealing victims' usernames and passwords stored in their browsers and desktop files along with their Skype credentials, browser history and other data, this trojan has a history of installing other threats like GandCrab onto compromised machines. Bleeping Computer decided to verify Gillespie's findings by downloading and installing a recent sample of STOP ransomware that appends ".promorad" to each affected file's name. It wasn't disappointed. Lawrence Abrams, creator and founder of Bleeping Computer, explains as much in a blog post:
The Promorad Ransomware variant samples we tested also download a file named 5.exe and executed it. When executed, the program will create network traffic that is identical to known command & control server communications for the Azorult information-stealing Trojan.
Screen-Shot-2019-03-11-at-06.58.44.png
Azorult Network Communication. (Source: Bleeping Computer) Abrams took the additional step of submitting the malicious file to VirusTotal. In response, numerous security vendors detected the asset as an information-stealing trojan. Users face the risk of password exposure should they suffer an infection at the hands of the STOP Promorad ransomware variant. As a result, they should make sure they stay on top of their software updates and exercise caution around suspicious email attachments. They should also follow these additional ransomware prevention tips. If they do experience an infection of STOP Promorad ransomware variant, users should take the extra step of changing all of their passwords employed for their online accounts. They should also review their desktop files to determine what types of private information Azorult might have compromised by infecting their machine. Depending on what they find, they might want to purchase a subscription to an identity theft monitoring service and/or place a security freeze on their credit report.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!