Last seven days
- First activity
- Jul 17, 2026
- Last activity
- Jul 17, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
STOP/DJVU is a Windows ransomware family that encrypts victim files and appends variant-specific extensions, including .hhaz, .djvuu, .ljaz, .bhtw, .bhui, .bhgr, .agho, and .vvoa.
Profile source: Mallory opens in a new tabStop
STOP/DJVU is a Windows ransomware family that encrypts victim files and appends variant-specific extensions, including .hhaz, .djvuu, .ljaz, .bhtw, .bhui, .bhgr, .agho, and .vvoa. Reported samples drop ransom notes such as _readme.txt, and one analyzed STOP/DJVU sample executed as TzjwSXczmD2hOVANbz7L7Roc.exe, contacted zexeq[.]com to retrieve a public key, then encrypted files with the .hhaz extension after reboot. In that case, encrypted files contained the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5} at the end, and the ransom note was written to C:\Users\admin\_readme.txt.
The malware is commonly distributed through commodity malware delivery ecosystems and cracked-software lures. Supporting reporting describes STOP ransomware being delivered via SEO-poisoned cracked software sites, password-protected archives, and XLL-based infection chains. In the analyzed "CrackedCantil" intrusion, a fake cracked IDA Pro installer initiated a multi-stage chain involving PrivateLoader and Smoke loaders, multiple stealers, a miner, Socks5Systemz, and finally STOP/DJVU ransomware. STOP has also been observed as a payload distributed by the RETADUP botnet, and reporting notes delivery alongside other malware families including information stealers, click-fraud bots, cryptominers, Conti ransomware, and Arkei.
The family is widely tracked as commodity ransomware and has been reported among the more broadly distributed ransomware families in mass campaigns. One source cited STOP ransomware as 15% of massively distributed ransomware attacks in Q1 2023. There is also reporting of an extortion email address, ondrugs@firemail.cc, being seen both in a LockBit-related incident and with STOP ransomware, though the significance of that overlap is unclear.
High-confidence indicators and artifacts mentioned in the content include zexeq[.]com, the ransom note _readme.txt, the .hhaz extension, and the mutex string {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}. Variants observed by researchers append numerous other extensions, including .bhtw, .bhui, .bhgr, .agho, and .vvoa.
Samples
MITRE ATT&CK
Reporting
We found a variety of information stealers, clickfraud bots, and other malware delivered through the sites, including Conti and STOP ransomware.
New YARA rule updates introduce or refine signatures for specific malware families. This includes a detection update for the Stop ransomware family.
STOP is ransomware that encrypts user data, and the encrypted file extensions include .hhaz, .djvuu, .ljaz, and more. DJVU is a variant of the STOP ransomware and can include several layers of obfuscation which makes analysis more difficult.
...and STOP ransomware (15%).
PCrisk found new STOP ransomware variants that append the .bhtw and .bhui extensions.
"Other notable commodity malware families that use XLLs... include ... Ransomware Stop..."
"New STOP ransomware variant"
The e-mail used for extortion ondrugs@firemail.cc was also seen with STOP ransomware—an uncanny connection.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.