*id***id*look

[Content by Gemini 2.5]

This document provides a comprehensive overview of the ransomware variant identified by the file extension *id***id*look. This pattern is characteristic of a prolific family of ransomware, most notably the Stop/Djvu ransomware, which has numerous evolving sub-variants. The *id***id* portion typically represents a unique victim ID, and look is a specific fixed extension appended by this particular variant.

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The exact file extension used by this variant is .[unique_id].look (e.g., .e6f2a7g8.look, where e6f2a7g8 is a unique victim ID).
  • Renaming Convention: When a file is encrypted, its original name is preserved, but the ransomware appends the unique victim ID followed by the .look extension.
    • Example: A file named document.docx would be renamed to document.docx.[unique_id].look. Similarly, image.jpg would become image.jpg.[unique_id].look.
  • Ransom Note: A ransom note, typically named _readme.txt, is dropped in every folder containing encrypted files, as well as on the desktop. This note contains instructions for the victim, including contact emails and the ransom demand.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: While the *id***id*look specific variant may have emerged at a particular time, it belongs to the broader Stop/Djvu ransomware family, which has been highly active and continuously evolving since late 2018 / early 2019. This family is one of the most widespread and persistent ransomware threats, with new variants appearing regularly.

3. Primary Attack Vectors

The *id***id*look variant, like other Stop/Djvu variants, primarily relies on less sophisticated but highly effective social engineering and distribution methods:

  • Cracked Software/Pirated Content: This is the most prevalent vector. Users download “cracked” versions of popular software (e.g., Adobe Photoshop, Microsoft Office, video games, system optimizers) from torrent sites, free software download sites, or untrustworthy third-party sources. The ransomware payload is often bundled within these installers.
  • Malicious Websites and Pop-up Ads: Visiting compromised websites or clicking on deceptive pop-up advertisements that push fake software updates (e.g., Flash Player updates, browser updates) can lead to an infection.
  • Email Phishing Campaigns: Although less common than for some other ransomware families, malicious attachments (e.g., infected documents, executables disguised as invoices or shipping notifications) or links in phishing emails can still be used.
  • Drive-by Downloads: In rare cases, vulnerabilities in web browsers or plugins (if unpatched) could lead to an infection simply by visiting a malicious website.
  • Fake System Optimizers/Downloaders: Deceptive software promising to clean or speed up a PC, often promoted through aggressive online ads, can secretly install ransomware.

Remediation & Recovery Strategies:

1. Prevention

  • Regular Data Backups: Implement a robust 3-2-1 backup strategy (3 copies of data, 2 different media types, 1 offsite copy). Ensure backups are disconnected from the network after completion to prevent them from being encrypted.
  • Software Updates & Patching: Keep your operating system (Windows, macOS), web browsers, antivirus software, and all other applications up to date. Enable automatic updates where possible.
  • Reputable Antivirus/Endpoint Protection (EDR): Install and maintain a high-quality antivirus or EDR solution. Ensure real-time protection is enabled and regularly scan your system.
  • Exercise Caution with Downloads: Only download software from official vendor websites or trusted app stores. Avoid “cracked” software, torrents, and free download sites that offer pirated content.
  • Email and Web Browsing Vigilance: Be extremely wary of unsolicited emails, suspicious attachments, and links. Avoid clicking on pop-up ads or suspicious banners.
  • Strong Password Policy & MFA: Use strong, unique passwords for all accounts and enable Multi-Factor Authentication (MFA) wherever possible to protect against account compromise that could lead to broader network infection.
  • User Education: Educate users about the risks of phishing, suspicious downloads, and the importance of cybersecurity best practices.
  • Disable/Restrict RDP: If RDP is used, ensure it’s protected by strong, unique passwords, MFA, and is not directly exposed to the internet. Use VPN for access if possible.

2. Removal

  • Isolate the Infected System: Immediately disconnect the infected computer from the network (unplug Ethernet cable, disable Wi-Fi) to prevent the ransomware from spreading to other devices.
  • Boot into Safe Mode: Restart your computer and boot into Safe Mode with Networking. This often prevents the ransomware process from fully loading, allowing for easier removal.
  • Run a Full System Scan: Use your reputable antivirus/anti-malware software (e.g., Malwarebytes, Emsisoft Anti-Malware, Sophos HitmanPro, Windows Defender) to perform a deep scan. Allow the software to quarantine or remove all detected threats.
  • Check for Persistent Mechanisms: The ransomware might create persistence by modifying registry entries or creating scheduled tasks. Anti-malware tools typically handle this, but advanced users can manually check msconfig, Task Scheduler, and relevant registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
  • Delete Ransom Notes: Once the ransomware executable is removed, delete all _readme.txt files (or whatever the ransom note is named) from your system.
  • Change All Passwords: After ensuring the system is clean, change all passwords used on the infected machine, especially for online services, email, and network shares.

3. File Decryption & Recovery

  • Recovery Feasibility:
    • Offline Keys (Feasible for some files): The Stop/Djvu ransomware family typically generates two types of encryption keys:
      • Online Keys: If the attacker’s Command & Control (C2) server is reachable during encryption, a unique “online key” is generated for the victim. Files encrypted with online keys are currently undecryptable without the private key from the attackers. Paying the ransom is strongly discouraged as there’s no guarantee of decryption, and it fuels future attacks.
      • Offline Keys: If the C2 server is unreachable during encryption, the ransomware uses an “offline key.” A limited number of these offline keys have been recovered by security researchers over time.
    • Decryption Tools: The Emsisoft Decryptor for STOP Djvu Ransomware is the primary tool for potential decryption.
      • How it works: You provide the decryptor with an encrypted file and its original, unencrypted version (if you have one). The decryptor analyzes the encrypted file to determine the specific variant and the encryption key used. If an offline key for your specific variant is known and included in its database, it can decrypt files.
      • Limitations: This decryptor only works if your files were encrypted with an offline key that Emsisoft has managed to obtain or deduce. It will not work for files encrypted with online keys.
      • Process: Download the Emsisoft decryptor, select the drive/folder containing encrypted files, and run the scan. It will inform you if decryption is possible.
  • Other Recovery Methods:
    • Data Backups (Recommended): The most reliable method is to restore your data from clean, uninfected backups.
    • Shadow Volume Copies: Ransomware variants like *id***id*look often attempt to delete Shadow Volume Copies (VSS snapshots) using commands like vssadmin delete shadows /all /quiet. However, sometimes this command fails, or the ransomware doesn’t run it. You can attempt to recover previous versions of files or folders using Windows’ built-in “Previous Versions” feature (right-click on a folder/file -> Properties -> Previous Versions).
    • Data Recovery Software: Tools like PhotoRec, Recuva, or Disk Drill can sometimes recover fragments of original, unencrypted files that the ransomware might have deleted rather than overwritten. Success rates vary widely.

4. Other Critical Information

  • Unique Characteristics:
    • Online vs. Offline ID/Keys: This distinction is critical for Stop/Djvu variants. The _readme.txt note often contains a personal ID. If this ID ends in t1 or similar, it often indicates an online key. If it’s a short, random alphanumeric string, it might be an offline key. The Emsisoft decryptor will determine this.
    • Steals Information: Beyond encryption, Stop/Djvu variants are known to also steal sensitive information from the compromised system, including system data, browser data (cookies, saved passwords), cryptocurrency wallet information, and potentially other personal files.
    • High Volume and Constant Evolution: This family is unique in its sheer volume of new variants released almost daily, making it a continuous cat-and-mouse game for security researchers to find new offline keys.
    • Often Delivered with Other Malware: It’s common for Stop/Djvu infections to be bundled with other malware, such as info-stealers (e.g., Azorult, Vidar, RedLine Stealer) or adware, which further complicates recovery and poses additional privacy risks.
  • Broader Impact:
    • Individual Impact: Significant data loss for individuals and families who do not maintain proper backups, leading to loss of cherished photos, documents, and financial data.
    • Small Business Impact: For small businesses, it can lead to operational downtime, significant financial losses due to lost data or the cost of recovery, and reputational damage.
    • Contribution to Cybercrime Economy: The high volume of infections means a continuous stream of income for the attackers, funding further malicious activities and evolving their tactics.
    • Public Awareness Challenge: The pervasive nature of this ransomware (often disguised as legitimate software) highlights the need for continuous public education on safe online practices and software sourcing.