Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Stop/djvu

STOP/DJVU is a ransomware family, detected by ESET as Win32/Filecoder.STOP, that has been repeatedly associated with infections stemming from untrusted software sources. The provided content states it heavily targeted students and individual consumers/small businesses, with frequent infections reported after victims downloaded pirated or cracked software, including commercial VST plugins, from sources such as search results, YouTube links, torrents, Telegram channels, Discord servers, and other piracy-related distribution points. The malware is described as a recurring ransomware family and may be marketed as ransomware-as-a-service. Ransom notes reportedly demanded roughly US$1,000 to US$1,200 in cryptocurrency, often offering a 50% discount if payment was made within 24 to 72 hours. Chainalysis data in the content lists Stop/djvu among ransomware strains active in 2023, with an average payment of US$619 and a median payment of US$563, consistent with lower-value attacks against smaller victims. The content also notes that cracked or leaked Stop/DJVU-related tooling/builders were advertised on the Russian-language cybercrime forum RAMP, including a January 2024 mention of a cracked builder targeting individual consumers and small businesses. A related threat, Zorab ransomware, is described as masquerading as a STOP Djvu decryptor and re-encrypting files with a .ZRB extension, underscoring that fake decryptor tools have been used in the STOP/DJVU ecosystem.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1204.002Malicious FileEvidence1

The criminals even told the victims that if their antivirus software detected anything, that it was a false positive alarm and to ignore it.

Stealth

1 technique
T1036MasqueradingEvidence1

KryptoCibule, cryptocurrency-focused malware that targeted Czech and Slovak users, was spread through a popular local file sharing service, masquerading as pirated games or downloadable content (DLC) for them.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2

STOP/DJVU, detected by ESET as Win32/Filecoder.STOP, is a family of ransomware... Shortly after the software piracy occurred, the students found fairly standard ransomware notes on their desktop.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
mac.address●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
comparitechNews
Apr 17, 2026
Inside RAMP: What a leaked database reveals about Russia's ransomware marketplace - Comparitech

A ransomware family referenced via a cracked builder; described as targeting individual consumers and small businesses.

Read more
cyberthroneNews
Nov 14, 2025
Kraken and Zorab: New Menaces in the 2025 Ransomware Landscape

Referenced ransomware family; Zorab impersonates a decryptor for STOP/Djvu to trick victims into executing Zorab.

Read more
chainalysis blogNews
Jul 12, 2023
2023 Crypto Crime Mid-year Update: Crime Down 65% Overall

Ransomware strain listed among those with smaller average/median payment sizes in 2023.

Read more
eset welivesecurity blogNews
May 16, 2023
You may not care where you download software from, but malware does

Ransomware family that encrypts files and leaves ransom notes, observed heavily targeting students after pirated software downloads, with relatively low ransom demands and time-limited discounts.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.