What is STOP/Djvu Ransomware
STOP/Djvu has been one of the most popular and devasting ransomware families that target a lot of worldwide users. It is operated by experienced developers that create and issue new ransomware versions on a regular basis. Alike other malware of this type, STOP/Djvu uses strong cryptographic algorithms along with assigning custom extensions to restrict access to data. After this, users become unable to open their files as they are blocked with secure ciphers. While being depressed and mentally down after receiving the virus, cybercriminals offer a file-saving solution – to buy special decryption software that will return access to data. They show ransom instructions inside of a note (.txt, HTML, or pop-up window) that is created at the end of encryption. Victims are often instructed to contact developers and send an estimated sum of money in BTC or other cryptocurrencies. However, it is obvious that many would like to avoid it and recover the files for free or at least at a low price. This is exactly what we are going to talk about today. Follow our guide below to learn all the necessary steps you should apply to decrypt or restore files blocked by STOP/Djvu.
1. Delete ransomware before trying to restore files
Before rushing into trying to return your data with third-party tools, it is important to run the deletion of ransomware. If you attempt to decrypt or restore data while ransomware is present, it may hinder the process or encrypt them again upon successful decryption. The majority of ransomware infections can be easily deleted with the help of special third-party tools. We recommend you to use SpyHunter 5 from EnigmaSoft Limited – a popular and highly effective tool whenever it comes to getting rid of ransomware infections. The program will scan your system for all files, folders, and registry keys installed by STOP/Djvu. Download it now and use the trial version of SpyHunter 5 to get a virus scan and 1-time removal for FREE.
2. File Recovery
Many ransomware infections make sure it is impossible to decrypt data with third-party tools. Strong ciphers assigned during encryption make things hard for external programs to approach decryption the right way. In such a case, the only possible option to avoid paying the ransom and returning files at the same time is to use backup copies stored on a non-infected device. This can be a USB or Cloud storage like Google Disk or OneDrive that is immune to encryption. As an alternative method, you can use Stellar Data Recovery Professional – a great tool designed to scan your system for available backups or shadow copies. Usually, high-quality infections family make their best to wipe out all copies stored on one’s system. Despite unfavorable statistics, there is still a chance some ransomware versions overlooked it and did not perform their deletion. In such a case, victims can use Stellar Data Recovery Professional to recover their data from found copies. You can learn more about its capabilities and try to restore the files by downloading it down below.
3. Decryption of data
Whether files can be decrypted or not usually depends on how cybercriminals store their encryption keys – OFFLINE or ONLINE. If ransomware manages to establish a connection with its Command & Control Server during infection, it will encrypt files using ONLINE keys. In case of a failure, a file-encryptor will simply use OFFLINE keys which are the same for all of the victims. As a rule, people who had their files encrypted with OFFLINE keys have more chances to perform successful decryption compared to those dealing with ONLINE ones. Before choosing the right decryption method, it is necessary to pinpoint which type of key storage is used by your ransomware virus. This works mostly with versions that were developed after August 2019. If you determine your key to be stored OFFLINE, then you have more luck unlocking the data. To figure it out, follow these steps below:
- Open This PC and navigate to C:\SystemID.
- You should be able to see a text note called PersonalID.txt.
- Open it up and look at the keys located inside.
- If you have any of the keys ending with
t1, this means some part of the data can be decrypted.
In addition, personal IDs can also be found within ransom notes at the bottom of contents. Cybercriminals attach them to identify users and ask them to send their IDs while contacting by e-mail.
The decryption of files encrypted with an OFFLINE key (Emsisoft decryptor for STOP/Djvu)
If you checked the text note and found that your keys are fully or partially OFFLINE, follow the dedicated instructions below. We will use a special Emsisoft decryptor specifically developed for STOP/Djvu. Below, we suggest you check out the full list of extensions that can be officially decrypted if OFFLINE keys were used:
As new versions appear and cyber experts move on with their research, this list can be topped with new extensions someday in the future. The activity of STOP/Djvu continues to be at its peak releasing new versions and updating the older ones.
To confirm your files can be decrypted and use these instructions below, look at the content of your ransom text file (_readme.txt). If you find it the same as we referenced here only varying by e-mail addresses, follow the steps we listed below for data encrypted with OFFLINE keys.
To decrypt files with OFFLINE keys:
- Download STOP Djvu Decryptor from Emsisoft.
- Execute the program and agree with all the windows that pop.
- Then, add locations of data you want to decrypt by clicking Add Folder and choosing locations with encrypted files.
- After locations are added, click on Decrypt and wait until Emsisoft gets its job done. You will see all updates regarding the process and its completion right on the panel.
STOP Djvu Decryptor by Emsisoft is totally automated meaning you don’t have to participate in the decryption process. If your files are changed with some or all ONLINE keys, follow these steps below. You might already know which type of key you have from the instructions above.
The decryption of files encrypted with an ONLINE key
As mentioned, decrypting files with ONLINE keys can be a much more sophisticated task compared to otherwise. To make it possible and level the odds in your favor, you will need to find a pair of encrypted and original (unencrypted) copies for all files you want to unlock. It is important to make sure your file pairs meet this list of requirements:
- Must be the same file before and after encryption
- Must be a different file pair per file type you wish to decrypt.
- Each file must be 150KB or more.
You can match file pairs by choosing an encrypted file and searching for its source of download. Many users get files by downloading or copying them from other devices. For example, if you downloaded a pdf file from some website, which then got encrypted, try to recall this website and open it up to download a similar file. If you have an encrypted file shot on your smartphone, make another photo using the same settings and use it as a reference file. Once done, you will have to pair it up with the encrypted sample. For instance, 1.mp4 will be paired with 1.mp4.djvu, 1.pdf with 1.pdf.djvu, 1.png with 1.png.djvu, and similarly with other pairs of files. Note that new variants that use RSA algorithms are less likely to be decrypted this way because there is no such vulnerability in them. If your files were encrypted after August 2019, chances are it is the new version. Either way, you should give it a try using our instructions below.
Note: If you are affected with .puma, .pumas, .pumax, .INFOWAIT, or .DATAWAIT extensions, skip to the next method below.
- Open the Emsisoft Decryption page.
- Upload a pair of encrypted and original files to the selected boxes. Click SUBMIT.
- Click SUBMIT and wait until the process is done.
- Upon its completion, the Emsisoft Decryption page will give you a link with an individual file decryptor.
- Download it and do the same steps we implemented when trying to decrypt OFFLINE keys.
If Emsisoft fails to decrypt the uploaded pair of files, go back to the page and run the same steps with other pairs until you decrypt at least some of them.
c) Decrypt files with .puma, .pumas, .pumax, .INFOWAIT, and .DATAWAIT extensions
Some extensions require the usage of separate file decryptors. This is the case with the extensions we listed above. Also, ransomware variants using these extensions have their content of ransom notes different from other versions. Here is how it is likely in the case of the mentioned extensions:
If you see one of these extensions at the end of your files plus the same content of ransom instructions, follow the steps presented below.
- Match file pairs as we did it before without visiting the Emsisoft Decryption page.
- Download DJVU Puma decryptor by Emsisoft.
- Next, upload the file pairs to the utility. It may also ask you to upload the ransom note, so do this, if needed.
- After uploading all the necessary files, click Start.
- Then click OK to close decryption details.
- Choose specific files or folders you want to scan and decrypt by clicking on Add folder.
- Finally, click on Decrypt and wait until the process gets done.
We hope you dealt with encryption and managed to return your files unscathed.
4. Use Media Repair to decrypt .WAV, .MP3, .MP4, .M4V, .MOV, and .3GP file formats.
This is another free and secure tool that may be able to return life back to your media files. The utility developed by DiskTuna supports .WAV, .MP3, .MP4, .M4V, .MOV, and .3GP file formats. Wrong to say that this tool tries to decrypt your files attacked by the STOP/Djvu family. It is rather meant to repair the non-encrypted part of the file and make it operate again. For instance, if you have an audio track practically encrypted, Media Repair will make only its non-encrypted part playable again. As with most Emsisoft Decryptors, you have to create or find a reference file to elevate your chances of successful decryption. You can find complete instructions on how to use the Media Repair tool below.
- Download Media Repair tool.
- Right-click on the downloaded archive, and select Extract to Media_Repair\.
- Then double-click on the extracted .exe file to launch the utility.
- At first, you have to choose which file type you want to decrypt. You can do it from the drop-down menu in the utility.
- Next, browser the folder with encrypted or reference files. Choose any of them and click on the Test icon located in the top right corner.
- Media Repair will display a pop-up message with information on whether it can repair the selected file or not.
- After checking if it is possible or not, select your reference file and click on the icon right under the Test button we used in step #5.
- If the file pair is properly matched, you can move on and hit the Play button to start repairing. You can also stop the process anytime by clicking on the Stop button.
Good news if you managed to repair your files, at least some part of them. Otherwise, use the remaining solutions below to give the restoration of files yet another try.
5. Use JpegMedic Arwe to recover .JPEG files
Alike Media Repair, JpegMedic Arwe is another free-to-use program that gives an ability to succeed in the recovery of files partially encrypted by ransomware. Arwe is known to be the light version of JpegMedic – its older brother giving professional tools with broader options to restore the data. Using a similar principle, JpegMedic can recover half-encrypted files by borrowing technical parameters from healthy reference files. Victims should use photos taken on preferably the same camera with the same settings. While running laboratory tests, JpegMedic has proven itself to run a successful repair of JPEG files with the following ransomware extensions:
.EFDC, .FUTM, .HESE, .HETS, .HOOP, .IISA, .KOOM, .LQQW, .MAQL, .MMPA, .NOOA, .NPPP, .NQSQ, .OPQZ, .PAAS, .QDLA, .RIGJ, .ROBM, .STAX, .VTUA, .WIOT, .WWKA. Even if your extension is not on this list, it may still be recovered by JpegMedic. Just give it a try using these instructions below:
- Download JpegMedic Arwe.
- Open it up and choose a reference photo file by clicking Add….
- Then, select a folder with encrypted JPEG files by clicking Select….
- The program will determine the extension of encrypted files and put it in the necessary space. If Arwe determined it wrong, insert the name of the malicious extension manually.
- You can also choose your own path to whether repaired files will be delivered. It is recommended to choose an empty folder to prevent JpegMedic ARWE from overwriting the existing correct files by accident.
- After setting things up, click Run to start the recovery process.
In case you succeed with other extensions aside from those we have written, you can share this information with the developers so that they could add information about new recoverable extensions for other victims.
6. Alternative options to Restore encrypted data
There are two more ways you can attempt to decrypt your files – using Shadow Explorer and Windows Previous Versions option. Although this is less likely to work, it may with some ransomware versions that are poorly configured and fail to delete all shadow copies and backups stored on your system. Both methods are easy to use and will not take too much time to perform.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
It is never pleasant to be a victim of ransomware infections. We hope you managed to avoid paying the ransom and recover or decrypt your files eventually. The development of ransomware infections never keeps stagnant, but always improves to combat third-party software and leave their victims no chance to return the blocked files. This is a general guide designed specifically for the STOP/Djvu family. While there are some methods that can be used in decrypting/restoring files affected by other ransomware, it still may require to use of separate software developed for other ransomware vendors. If you ever deal with other ransomware infections in the future, use dedicated instructions prepared for each variant on our website. We update this category of malware with new versions immediately once they appear.