Skip to content
Malware family

Stop

STOP/DJVU is a Windows ransomware family that encrypts victim files and appends variant-specific extensions, including .hhaz, .djvuu, .ljaz, .bhtw, .bhui, .bhgr, .agho, and .vvoa.

Profile source: Mallory opens in a new tab

Stop

Family profile

STOP/DJVU is a Windows ransomware family that encrypts victim files and appends variant-specific extensions, including .hhaz, .djvuu, .ljaz, .bhtw, .bhui, .bhgr, .agho, and .vvoa. Reported samples drop ransom notes such as _readme.txt, and one analyzed STOP/DJVU sample executed as TzjwSXczmD2hOVANbz7L7Roc.exe, contacted zexeq[.]com to retrieve a public key, then encrypted files with the .hhaz extension after reboot. In that case, encrypted files contained the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5} at the end, and the ransom note was written to C:\Users\admin\_readme.txt.

The malware is commonly distributed through commodity malware delivery ecosystems and cracked-software lures. Supporting reporting describes STOP ransomware being delivered via SEO-poisoned cracked software sites, password-protected archives, and XLL-based infection chains. In the analyzed "CrackedCantil" intrusion, a fake cracked IDA Pro installer initiated a multi-stage chain involving PrivateLoader and Smoke loaders, multiple stealers, a miner, Socks5Systemz, and finally STOP/DJVU ransomware. STOP has also been observed as a payload distributed by the RETADUP botnet, and reporting notes delivery alongside other malware families including information stealers, click-fraud bots, cryptominers, Conti ransomware, and Arkei.

The family is widely tracked as commodity ransomware and has been reported among the more broadly distributed ransomware families in mass campaigns. One source cited STOP ransomware as 15% of massively distributed ransomware attacks in Q1 2023. There is also reporting of an extortion email address, ondrugs@firemail.cc, being seen both in a LockBit-related incident and with STOP ransomware, though the significance of that overlap is unclear.

High-confidence indicators and artifacts mentioned in the content include zexeq[.]com, the ransom note _readme.txt, the .hhaz extension, and the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}. Variants observed by researchers append numerous other extensions, including .bhtw, .bhui, .bhgr, .agho, and .vvoa.

Observed infrastructure

Last seven days

First activity
Jul 17, 2026
Last activity
Jul 17, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Samples

Recent associated samples

MITRE ATT&CK

Stop in ATT&CK

10 distinct techniques

Reporting

Research mentioning Stop

Jan 1
Sophos Threat Research

Fake pirated software sites serve up malware droppers as a service | SOPHOS

We found a variety of information stealers, clickfraud bots, and other malware delivered through the sites, including Conti and STOP ransomware.

Oct 20
Detections Digest Rulecheck

Detections Digest #20251020

New YARA rule updates introduce or refine signatures for specific malware families. This includes a detection update for the Stop ransomware family.

Jan 30
ANY.RUN

CrackedCantil: Malware Work Together

STOP is ransomware that encrypts user data, and the encrypted file extensions include .hhaz, .djvuu, .ljaz, and more. DJVU is a variant of the STOP ransomware and can include several layers of obfuscation which makes analysis more difficult.

Sep 14
Sekoia

Sekoia.io mid-2023 Ransomware Threat Landscape

...and STOP ransomware (15%).

Jun 23
Bleeping Computer

The Week in Ransomware - June 23rd 2023 - The Reddit Files

PCrisk found new STOP ransomware variants that append the .bhtw and .bhui extensions.

Dec 20
Talos Intelligence

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

"Other notable commodity malware families that use XLLs... include ... Ransomware Stop..."

Nov 14
Bleeping Computer

The Week in Ransomware - November 13th 2020 - Extortion gone wild

"New STOP ransomware variant"

Apr 24
Sophos Threat Research

LockBit ransomware borrows tricks to keep up with REvil and Maze | SOPHOS

The e-mail used for extortion ondrugs@firemail.cc was also seen with STOP ransomware—an uncanny connection.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.