A new version of the most widely-used ransomware today has been spotted — and it's even better at avoiding detection

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

The StopCrypt ransomware variant just received its first major update in a long time, and given its status as the world’s most distributed ransomware, that could be a big deal.

The warning comes from a new report from security researchers SonicWall, which say that the operation now comes in multiple stages, to ensure it doesn’t get picked up by antivirus programs, or endpoint protection solutions.

Even though StopCrypt is arguably the world’s most widely distributed ransomware, it rarely makes headlines, as it doesn’t target large companies, or critical infrastructure organizations. It doesn’t steal sensitive data, and it most certainly doesn’t demand millions in ransom payments in exchange for the decryption key and for the stolen data.

Flying under the radar

Instead, StopCrypt (also known as STOP ransomware) targets the average consumer. It is being distributed through malvertising, underground websites, and dark web forums. Victims usually look for cracked commercial software, activators, game cheats, and similar, and end up with infected endpoints. 

Given the low ransom demand (up to $1,000), and the fact that the victims are not exactly high-profile, STOP’s campaigns rarely make headlines. Still, the new version is bound to ruin the day for a lot of consumers.

StopCrypt was first discovered in 2018, BleepingComputer reports, and has been quite active since then. Its forum thread on STOP ransomware counts more than 800 pages. Still, its developers haven’t done much over the years to expand its functionality, as most of the updates were simply addressing critical issues. 

Besides STOP, the most prolific ransomware variants include BlackCat (ALPHV), LockBit, and Cl0p who have, over the years, targeted dozens of large organizations, healthcare institutions, government agencies, and critical infrastructure firms. Earlier this year, an international team of law enforcement agents managed to disrupt the infrastructure of LockBit, albeit temporarily.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.