What is STOP/Djvu Ransomware

STOP/Djvu has been one of the most popular and devasting ransomware families that target a lot of worldwide users. It is operated by experienced developers that create and issue new ransomware versions on a regular basis. Alike other malware of this type, STOP/Djvu uses strong cryptographic algorithms along with assigning custom extensions to restrict access to data. After this, users become unable to open their files as they are blocked with secure ciphers. While being depressed and mentally down after receiving the virus, cybercriminals offer a file-saving solution – to buy special decryption software that will return access to data. They show ransom instructions inside of a note (.txt, HTML, or pop-up window) that is created at the end of encryption. Victims are often instructed to contact developers and send an estimated sum of money in BTC or other cryptocurrencies. However, it is obvious that many would like to avoid it and recover the files for free or at least at a low price. This is exactly what we are going to talk about today. Follow our guide below to learn all the necessary steps you should apply to decrypt or restore files blocked by STOP/Djvu.

1. Delete ransomware before trying to restore files

Before rushing into trying to return your data with third-party tools, it is important to run the deletion of ransomware. If you attempt to decrypt or restore data while ransomware is present, it may hinder the process or encrypt them again upon successful decryption. The majority of ransomware infections can be easily deleted with the help of special third-party tools. We recommend you to use SpyHunter 5 from EnigmaSoft Limited – a popular and highly effective tool whenever it comes to getting rid of ransomware infections. The program will scan your system for all files, folders, and registry keys installed by STOP/Djvu. Download it now and use the trial version of SpyHunter 5 to get a virus scan and 1-time removal for FREE.

SpyHunter 5 Dashboard
SpyHunter 5 Results
SpyHunter 5 System Guard
Download SpyHunter 5

2. File Recovery

Many ransomware infections make sure it is impossible to decrypt data with third-party tools. Strong ciphers assigned during encryption make things hard for external programs to approach decryption the right way. In such a case, the only possible option to avoid paying the ransom and returning files at the same time is to use backup copies stored on a non-infected device. This can be a USB or Cloud storage like Google Disk or OneDrive that is immune to encryption. As an alternative method, you can use Stellar Data Recovery Professional – a great tool designed to scan your system for available backups or shadow copies. Usually, high-quality infections family make their best to wipe out all copies stored on one’s system. Despite unfavorable statistics, there is still a chance some ransomware versions overlooked it and did not perform their deletion. In such a case, victims can use Stellar Data Recovery Professional to recover their data from found copies. You can learn more about its capabilities and try to restore the files by downloading it down below.

Stellar Data Recovery (Select types of files)
Stellar Data Recovery (Select area to recover)
Stellar Data Recovery (Scanning process)
Stellar Data Recovery (Recovery window)
Download Stellar Data Recovery Professional

3. Decryption of data

Whether files can be decrypted or not usually depends on how cybercriminals store their encryption keys – OFFLINE or ONLINE. If ransomware manages to establish a connection with its Command & Control Server during infection, it will encrypt files using ONLINE keys. In case of a failure, a file-encryptor will simply use OFFLINE keys which are the same for all of the victims. As a rule, people who had their files encrypted with OFFLINE keys have more chances to perform successful decryption compared to those dealing with ONLINE ones. Before choosing the right decryption method, it is necessary to pinpoint which type of key storage is used by your ransomware virus. This works mostly with versions that were developed after August 2019. If you determine your key to be stored OFFLINE, then you have more luck unlocking the data. To figure it out, follow these steps below:

  1. Open This PC and navigate to C:\SystemID.
  2. You should be able to see a text note called PersonalID.txt.
  3. Open it up and look at the keys located inside.
  4. If you have any of the keys ending with t1, this means some part of the data can be decrypted.

In addition, personal IDs can also be found within ransom notes at the bottom of contents. Cybercriminals attach them to identify users and ask them to send their IDs while contacting by e-mail.

The decryption of files encrypted with an OFFLINE key (Emsisoft decryptor for STOP/Djvu)

If you checked the text note and found that your keys are fully or partially OFFLINE, follow the dedicated instructions below. We will use a special Emsisoft decryptor specifically developed for STOP/Djvu. Below, we suggest you check out the full list of extensions that can be officially decrypted if OFFLINE keys were used:

.peet, .mbed, .kodg, .zobm, .msop, .hets, .gero, .hese, .grod, .seto, .peta, .moka, .meds, .kvag, .domn, .nesa, .nols, .werd, .coot, .derp, .meka, .mosk, .bora, .reco, .kuub, noos, .karl, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .godes, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .rezuc, .stone, .skymap, .mogera, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .puma, .pumax, .pumas, .DATAWAIT, .INFOWAIT.
Show more
Show less

As new versions appear and cyber experts move on with their research, this list can be topped with new extensions someday in the future. The activity of STOP/Djvu continues to be at its peak releasing new versions and updating the older ones.

To confirm your files can be decrypted and use these instructions below, look at the content of your ransom text file (_readme.txt). If you find it the same as we referenced here only varying by e-mail addresses, follow the steps we listed below for data encrypted with OFFLINE keys.

STOP Ransomware (ransom note)
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
[removed link] Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
gerentoshelp@firemail.cc
Your personal ID:
9315hTlGeRsMht5nsgsaoejm4RWx1y69zcacA5hSp3l60BnY8f3q
asd3SGd8723bqD7SH8JmYm298WxkjhasiuSDFS35Qaidkhantjt1

To decrypt files with OFFLINE keys:

STOP djvu ransomware decryptor from emsisoft

  1. Download STOP Djvu Decryptor from Emsisoft.
  2. Execute the program and agree with all the windows that pop.
  3. Then, add locations of data you want to decrypt by clicking Add Folder and choosing locations with encrypted files.
  4. After locations are added, click on Decrypt and wait until Emsisoft gets its job done. You will see all updates regarding the process and its completion right on the panel.

STOP Djvu Decryptor by Emsisoft is totally automated meaning you don’t have to participate in the decryption process. If your files are changed with some or all ONLINE keys, follow these steps below. You might already know which type of key you have from the instructions above.

The decryption of files encrypted with an ONLINE key

As mentioned, decrypting files with ONLINE keys can be a much more sophisticated task compared to otherwise. To make it possible and level the odds in your favor, you will need to find a pair of encrypted and original (unencrypted) copies for all files you want to unlock. It is important to make sure your file pairs meet this list of requirements:

  • Must be the same file before and after encryption
  • Must be a different file pair per file type you wish to decrypt.
  • Each file must be 150KB or more.

You can match file pairs by choosing an encrypted file and searching for its source of download. Many users get files by downloading or copying them from other devices. For example, if you downloaded a pdf file from some website, which then got encrypted, try to recall this website and open it up to download a similar file. If you have an encrypted file shot on your smartphone, make another photo using the same settings and use it as a reference file. Once done, you will have to pair it up with the encrypted sample. For instance, 1.mp4 will be paired with 1.mp4.djvu, 1.pdf with 1.pdf.djvu, 1.png with 1.png.djvu, and similarly with other pairs of files. Note that new variants that use RSA algorithms are less likely to be decrypted this way because there is no such vulnerability in them. If your files were encrypted after August 2019, chances are it is the new version. Either way, you should give it a try using our instructions below.

Note: If you are affected with .puma, .pumas, .pumax, .INFOWAIT, or .DATAWAIT extensions, skip to the next method below.

  1. Open the Emsisoft Decryption page.
  2. Upload a pair of encrypted and original files to the selected boxes. Click SUBMIT.
  3. Click SUBMIT and wait until the process is done.
  4. Upon its completion, the Emsisoft Decryption page will give you a link with an individual file decryptor.
  5. Download it and do the same steps we implemented when trying to decrypt OFFLINE keys.

If Emsisoft fails to decrypt the uploaded pair of files, go back to the page and run the same steps with other pairs until you decrypt at least some of them.

c) Decrypt files with .puma, .pumas, .pumax, .INFOWAIT, and .DATAWAIT extensions

Some extensions require the usage of separate file decryptors. This is the case with the extensions we listed above. Also, ransomware variants using these extensions have their content of ransom notes different from other versions. Here is how it is likely in the case of the mentioned extensions:

STOP Ransomware (ransom note)
================ !ATTENTION PLEASE! ================
Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail pumarestore@india.com send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours. =========================================
E-mail address to contact us: pumarestore@india.com
Reserve e-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch Your personal id: 3346se9RaIxXF9m45nsmx7nL3bVudn91w4SNY8URDVa

If you see one of these extensions at the end of your files plus the same content of ransom instructions, follow the steps presented below.

  1. Match file pairs as we did it before without visiting the Emsisoft Decryption page.
  2. Download DJVU Puma decryptor by Emsisoft.
  3. Initiate the decryptor and agree with all of the tabs (User Account Control and Terms of Use).
  4. Next, upload the file pairs to the utility. It may also ask you to upload the ransom note, so do this, if needed.
  5. After uploading all the necessary files, click Start.
  6. Then click OK to close decryption details.
  7. Choose specific files or folders you want to scan and decrypt by clicking on Add folder.
  8. Finally, click on Decrypt and wait until the process gets done.

We hope you dealt with encryption and managed to return your files unscathed.

4. Use Media Repair to decrypt .WAV, .MP3, .MP4, .M4V, .MOV, and .3GP file formats.

media repair tool

This is another free and secure tool that may be able to return life back to your media files. The utility developed by DiskTuna supports .WAV, .MP3, .MP4, .M4V, .MOV, and .3GP file formats. Wrong to say that this tool tries to decrypt your files attacked by the STOP/Djvu family. It is rather meant to repair the non-encrypted part of the file and make it operate again. For instance, if you have an audio track practically encrypted, Media Repair will make only its non-encrypted part playable again. As with most Emsisoft Decryptors, you have to create or find a reference file to elevate your chances of successful decryption. You can find complete instructions on how to use the Media Repair tool below.

  1. Download Media Repair tool.
  2. Right-click on the downloaded archive, and select Extract to Media_Repair\.
  3. Then double-click on the extracted .exe file to launch the utility.
  4. At first, you have to choose which file type you want to decrypt. You can do it from the drop-down menu in the utility.
  5. Next, browser the folder with encrypted or reference files. Choose any of them and click on the Test icon located in the top right corner.
  6. Media Repair will display a pop-up message with information on whether it can repair the selected file or not.
  7. After checking if it is possible or not, select your reference file and click on the icon right under the Test button we used in step #5.
  8. If the file pair is properly matched, you can move on and hit the Play button to start repairing. You can also stop the process anytime by clicking on the Stop button.

Good news if you managed to repair your files, at least some part of them. Otherwise, use the remaining solutions below to give the restoration of files yet another try.

5. Use JpegMedic Arwe to recover .JPEG files

jpegmedic arwe

Alike Media Repair, JpegMedic Arwe is another free-to-use program that gives an ability to succeed in the recovery of files partially encrypted by ransomware. Arwe is known to be the light version of JpegMedic – its older brother giving professional tools with broader options to restore the data. Using a similar principle, JpegMedic can recover half-encrypted files by borrowing technical parameters from healthy reference files. Victims should use photos taken on preferably the same camera with the same settings. While running laboratory tests, JpegMedic has proven itself to run a successful repair of JPEG files with the following ransomware extensions: .EFDC, .FUTM, .HESE, .HETS, .HOOP, .IISA, .KOOM, .LQQW, .MAQL, .MMPA, .NOOA, .NPPP, .NQSQ, .OPQZ, .PAAS, .QDLA, .RIGJ, .ROBM, .STAX, .VTUA, .WIOT, .WWKA. Even if your extension is not on this list, it may still be recovered by JpegMedic. Just give it a try using these instructions below:

  1. Download JpegMedic Arwe.
  2. Open it up and choose a reference photo file by clicking Add….
  3. Then, select a folder with encrypted JPEG files by clicking Select….
  4. The program will determine the extension of encrypted files and put it in the necessary space. If Arwe determined it wrong, insert the name of the malicious extension manually.
  5. You can also choose your own path to whether repaired files will be delivered. It is recommended to choose an empty folder to prevent JpegMedic ARWE from overwriting the existing correct files by accident.
  6. After setting things up, click Run to start the recovery process.

In case you succeed with other extensions aside from those we have written, you can share this information with the developers so that they could add information about new recoverable extensions for other victims.

6. Alternative options to Restore encrypted data

There are two more ways you can attempt to decrypt your files – using Shadow Explorer and Windows Previous Versions option. Although this is less likely to work, it may with some ransomware versions that are poorly configured and fail to delete all shadow copies and backups stored on your system. Both methods are easy to use and will not take too much time to perform.

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

Summary

It is never pleasant to be a victim of ransomware infections. We hope you managed to avoid paying the ransom and recover or decrypt your files eventually. The development of ransomware infections never keeps stagnant, but always improves to combat third-party software and leave their victims no chance to return the blocked files. This is a general guide designed specifically for the STOP/Djvu family. While there are some methods that can be used in decrypting/restoring files affected by other ransomware, it still may require to use of separate software developed for other ransomware vendors. If you ever deal with other ransomware infections in the future, use dedicated instructions prepared for each variant on our website. We update this category of malware with new versions immediately once they appear.

Previous articleHow to fix “You don’t currently have permission to access this folder” error in Windows 10
Next articleHow to remove Pureweb
James Kramer
James Kramer
https://www.bugsfighter.com
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here
Facebook Twitter Youtube