STOP/DJVU Ransomware (2024 Guide)

The authors of the malware have Russian roots. The frauds use the Russian language and Russian words written in English and the domains registered through Russian domain-registration companies. The crooks most likely have allies in other countries.

DJVU Ransomware Technical Info

Many users indicate that the cryptoware is injected after downloading repackaged and infected installers of popular programs, pirated activators of MS Windows and MS Office (such as KMSAuto Net, KMSPico, etc.) distributed by the frauds through popular websites. This relates to both legitimate free applications and illegal pirated software.

The cryptoware may also be spread through hacking using poorly protected RDP configuration via email spam and malicious attachments, misleading downloads, exploits, web injectors, faulty updates, and repackaged and infected installers.

The list of file extensions subject to encryption:

• MS Office or OpenOffice documents
• PDF and text files
• Databases
• Photos, Music, Video or Image files
• Archives
• Application files, etc.

STOP/DJVU Ransomware drop files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt. The .djvu* and newer variants: _openme.txt, _open_.txt, or _readme.txt

Stages of cryptoware infection

1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
2. If С&C is unavailable (when the PC is not connected to the server’s Internet does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and implement the computer network attack.
4. Upon successful file encryption, the cipherer is autonomously removed using the delself.bat command file.

Associated Items

C:\Users\Admin\AppData\Local\3371e4e8-b5a0-4921-b87b-efb4e27b9c66\build3.exe
C:\Users\Admin\AppData\Local\Temp\C1D2.dll
C:\Users\Admin\AppData\Local\Temp\19B7.exe
C:\Users\Admin\AppData\Local\Temp\2560.exe
Tasks: "Azure-Update-Task"
Registry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Network Traffic

clsomos.com.br
o36fafs3sn6xou.com
rgyui.top
starvestitibo.org
pelegisr.com
furubujjul.net
api.2ip.ua
morgem.ru
winnlinne.com

Antivirus detection

• Trojan:Win32/Tnega!MSR Removal
• Win32:Adware-DNA [Adw] Virus Removal
• Win32:Secat [Trj] Virus Removal
• Trojan:MSIL/FormBook.PRY!MTB Virus Removal
• Trojan:Win32/Cerber.MR!MTB Virus Removal
• Trojan:Win32/Phonzy.B!ml Virus Removal
• Trojan:Win32/ButeRat!pz Virus Removal
• Win32/TrojanDownloader.Busky.AZ Virus Removal
• NSIS/TrojanDownloader.Agent.OBN Virus Removal
• Ransom:Win32/Conti.ZCI!dha Virus Removal

In addition to encrypting a victim’s files, the DJVU family has also install the Azorult Spyware to steal account credentials, cryptocurrency wallets, desktop files, and more.

How to decrypt STOP/DJVU Ransomware files?

Djvu Ransomware essentially has two versions.

1. Old Version: Most older extensions (from “.djvu” up to “.carote (v154)”) decryption for most of these versions was previously supported by STOPDecrypter tool in case if infected files with an offline key. That same support has been incorporated into the new Emsisoft Decryptor for these old Djvu variants. The decrypter will only decode your files without submitting file pairs if you have an OFFLINE KEY.
2. New Version: The newest extensions were released around the end of August 2019 after the ransomware was changed. This includes .nury, nuis, tury, tuis, etc….these new versions were supported only with Emsisoft Decryptor.

What is a “file pair”?

This is pair of files that are identical (as in they are the same precise data), except one duplicate is encrypted, and the other is not.

How to identify offline or online key?

The SystemID/PersonalID.txt file created by STOP (DJVU) on your C drive contains all of the IDs used in the encryption process.

Almost every offline ID ends with “t1”. Encryption by an OFFLINE KEY can be verified by viewing the Personal ID in the _readme.txt note and the C:\SystemID\PersonalID.txt file.

The quickest way to check if you were infected with an OFFLINE or ONLINE KEY is to:

1. Find the PesonalID.txt file located in the folder C:\SystemID\ on the infected machine and check to see if there is only one or multiple IDs.
2. If the ID ends with “t1” there is a chance that some of your files were encrypted by the OFFLINE KEY and are recoverable.
3. If none of the IDs listed end with “t1”, then all of your files were most likely encrypted with an ONLINE KEY and are not recoverable now.

Online & offline keys – What does it mean?

OFFLINE KEY indicates that the files are encrypted in offline mode. After discovering this key, it will be added to the decryptor and that files can be decrypted.

ONLINE KEY – was generated by the ransomware server. It means that the ransomware server generated a random set of keys used to encrypt files. Decrypt such files is not possible.

Encryption with the RSA algorithm used in the latest DJVU variants does not allow to use of a pair of “encrypted + original” files to train the decryption service. This certain type of encryption is resistant to cracking, and it is impossible to decrypt files without a private key. Even a supercomputer will need 100`000 years to calculate such a key.

Encrypted files extension

I. STOP group

STOP, SUSPENDED, WAITING, PAUSA, CONTACTUS, DATASTOP, STOPDATA, KEYPASS, WHY, SAVEfiles, DATAWAIT, INFOWAIT

II. Puma group

puma, pumax, pumas, shadow

III. Djvu group

djvuu, uudjvu, blower, tfudet, promok, djvut, djvur, klope, charcl, doples, luces, luceq, chech, proden, drume, tronas, trosak, grovas, grovat, roland, refols, raldug, etols, guvara, browec, norvas, moresa, verasto, hrosas, kiratos, todarius, hofos, roldat, dutan, sarut, fedasot, forasom, berost, fordan, codnat, codnat1, bufas, dotmap, radman, ferosas, rectot, skymap, mogera, rezuc, stone, redmat, lanset, davda, poret, pidon, heroset, myskle, boston, muslat, gerosan, vesad, horon, neras, truke, dalle, lotep, nusar, litar, besub, cezor, lokas, godes, budak, vusad, herad, berosuce, gehad, gusau, madek, tocue, darus, lapoi, todar, dodoc, novasof, bopador, ntuseg, ndarod, access, format, nelasod, mogranos, nvetud, cosakos, kovasoh, lotej, prandel, zatrov, masok, brusaf, londec, kropun, londec, krusop, mtogas, nasoh, coharos, nacro, pedro, nuksus, vesrato, cetori, masodas, stare, carote, shariz,

IV. Gero group (RSA)

gero, hese, xoza, seto, peta, moka, meds, kvag, domn, karl, nesa, boot, noos, kuub, mike, reco, bora, leto, nols, werd, coot, derp, nakw, meka, toec, mosk, lokf, peet, grod, mbed, kodg, zobm, rote, msop, hets, righ, gesd, merl, mkos, nbes, piny, redl, kodc, nosu, reha, topi, npsg, btos, repp, alka, bboo, rooe, mmnn, ooss, mool, nppp, rezm, lokd, foop, remk, npsk, opqz, mado, jope, mpaj, lalo, lezp, qewe, mpal, sqpc, mzlq, koti, covm, pezi, zipe, nlah, kkll, zwer nypd, usam, tabe, vawe, moba, pykw, zida, maas, repl, kuus, erif, kook, nile, oonn, vari, boop, geno, kasp, .ogdo, .npph .kolz, .copa, .lyli, .moss, .foqe, .mmpa, .efji, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .qlkm, .coos, .wbxd, .pola .cosd, .plam, .ygkz, .cadq, .ribd, .tirp, .reig, .ekvf, .enfp, .ytbn, .fdcz, .urnb, .lmas, .wrui, .rejg or .pcqq, .igvm, nusm, ehiz, .paas, .pahd, .mppq, .qscx, .sspq, .iqll, .ddsg, .piiq, .neer, .miis, .leex, .zqqw, .lssr, .pooe, .zzla, .wwka, .gujd, .ufwj, .moqs, .hhqa, .aeur, .guer, .nooa, .muuq, .reqg, .hoop, .orkf, .iwan, .lqqw, .efdc, .wiot, .koom, .rigd, .tisc, .nqsq, .irjg, .vtua, .maql, .zaps, .rugj, .rivd, .cool, .palq, .stax, .irfk, .qdla, .qmak, .utjg, .futm, .iisa, .pqgs, .robm, .rigj, .moia, .yqal, .wnlu, .hgsh, .mljx, .yjqs, .shgv, .hudf, .nnqp, .xcmb, .sbpg, .miia, .loov, .dehd, .vgkf, .nqhd, .zaqi, .vfgj, .fhkf, .maak, .qqqw, .yoqs, .qqqe, .bbbw, .maiv, .bbbe, .bbbr, .qqqr, .avyu, .cuag, .iips, .ccps, .qnty, .naqi, .ckae, .eucy, .gcyi, .ooii, .rtgf, .jjtt, .fgui, .vgui, .fgnh, .sdjm, .dike, .xgpr, .iiof, .ooif, .vyia, .qbaa, .fopa, .vtym, .ftym, .bpqd, .xcbg, .kqgs, .iios, .vlff, .eyrv, .uigd, .rguy, .mmuz, .kkia, .hfgd, .ssoi, .pphg, .wdlo, .kxde, .snwd, .mpag, .voom, .gtys, .udla, .tuid, .uyjh, .qall, .qpss, .hajd, .ghas, .dqws, .nuhb, .dwqs, .ygvb, .msjd, .dmay, .jhdd, .jhbg, .dewd, .jhgn, .ttii, .mmob, .hhjk, .sijr, .bbnm, .xcvf, .egfg, .mine, .kruu, .byya, .ifla, .errz, .hruu, .dfwe, .fdcv, .fefg, .qlln, .nnuz, .zpps, .ewdf, .zfdv, .uihj, .zdfv, .rryy, .rrbb, .rrcc, .eegf, .bnrs, .bbzz, .bbyy, .bbii, .efvc, .hkgt, .eijy, .lloo, .lltt, .llee, .llqq, .dkrf, .eiur, .ghsd, .jjyy, .jjll, .jjww, .hhwq, .hhew, .hheo, .hhyu, .ggew, .ggyu, .ggeo, .ggwq, .hhye, .ooxa, .oori, .vveo, .vvwq, .vvew, .vveq, .vvyu, .dnet, .qstx, .ccew, .ccyu, .cceq, .ccwq, .cceo, .ccza, .qqmt, .qqlo, .qqlc, .oxva, .qqri, .qqjj, .qqkk, .qqpp, .xbtl, .oopu, .oodt, .oovb, .mmpu, .mmvb, .mmdt, .eewt, .eemv, .enus, .eeyu, .epub, .eebn, .stop, .aamv, .aawt, .aayu, .aabn, .oflg, .ofww, .ofoq, .adlg, .adoq, .adww, .tohj, .towz, .powz, .pohj, .tury, .tuis, .tuow, .nury, .nuis, .nuow, .nury, .powd, .pozq, .bowd, .bozq, .zatp, .zate, .fatp, .fate, .tcvp, .tcbu, .kcvp, .kcbu, .uyro, .uyit, .mppn, .mbtf, .manw, .maos, .matu, .btnw, .btos, .bttu, .isal, .iswr, .isza, .znsm, .znws, .znto, .bpsm, .bpws, .bpto, .zoqw, .zouu, .poqw, .pouu, .mzqw, .mztu, .mzop, .assm, .erqw, .erop, .vvmm, .vvoo, .hhmm, .hhee, .hhoo, .iowd, .ioqa, .iotr, .qowd, .qoqa, .qotr, .gosw, .goaq, .goba, .cosw, .coaq, .coba, craa, .qazx, .qapo, .qarj, .dazx, .dapo, .darj, .tycx, .tywd, .typo, .tyos, .jycx, .jywd, .jypo, .jyos, .nifr, .nitz, .niwm, .kiop, .kifr, .kitz, .kiwm, .boty, .boza, .coty, .coza, .fofd, .foty .foza, .sato, .saba, .qopz, .qore, .gash, .gatz, .xash, .xatz, .xaro, .gaze, .gatq, .gapo, .vaze, .vatq, .vapo, .werz, .weqp, .weon, .nerz, .neqp, .neon, .ahtw, .ahgr, .ahui, .bhtw, .bhgr, .bhui, .tghz, .tgpo, .tgvv, .aghz, .agpo, .agvv, .wazp, .waqq, .wayn, .gazp, .gaqq, .gayn, .miza, .mitu, .miqe, .kizu, .kitu, .kiqu, .wsaz, .wspn, .wsuu, .poaz, .popn, .pouu, .yyza, .yytw, .yyza, .tasa, .taqw, .taoy, .jasa, .jaqw, .jaoy, .wzqw, .wzer, .wzoq, .wztt, .nzqw, .nzer, .nzoq, .nztt, .teza, .rzkd, .rzfu, .rzew, .rzml, .hgkd, .hgfu, .hgew, .hgml, .oopl, .ooty, .oohu, .ooza, .wwpl, .wwty, .wwhu, .wwza, .azqt, .azre, .azop, .azhi, .mzqt, .mzre, .mzop, .mzhi, .ttwq, .ttza, .ttap, .ttrd, .mlwq, .mlza, .mlap, .mlrd, .ptqw, .ptrz, .pthh, .itqw, .itrz, .ithh, .zpas, .zpww, .zput, .ppvs, .ppvw, .ppvt, .yzaq, .yzqe, .yzoo, jzeq, .jzie, .eqew, .eqza, .iicc, .gyew, .gyca, .gycc, .jazi, .jawr, .nbzi, .nbwr, .hhuy, .hhaz, .ljuy, .ljaz, .loqw, .lomz, .cdqw, .cdmx, .cdwe, .cdaz, .cdpo, .cdtt, .cdcc, .cdxx, .ldhy.

.btos (V0618) Dec 2022 <- used previously .btos (V0202) Jan 2020

.mzqw (V0635) Jan 2023 <- used previously .mzqw (V0625) Jan 2023

.pouu (V0755) Jul 2023 <- used previously .pouu (V0634) Jan 2023

.mzop (V0796) Sep 2023 <- used previously .mzop (V0637) Jan 2023

The list of known DJVU e-mail:

[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

The list of latest STOP(DJVU) Ransomware

• SAGE Virus File — How to Decrypt & Remove Ransomware
• HELD Virus File — How to Decrypt & Remove Ransomware
• How to Remove and Decrypt Hlas Virus Files
• QUAL Virus File — How to Decrypt & Remove Ransomware
• SARUT Virus File — How to Decrypt & Remove Ransomware
• WATZ Virus File — How to Decrypt & Remove Ransomware
• WAQA Virus File — How to Decrypt & Remove Ransomware
• VEZA Virus File — How to Decrypt & Remove Ransomware
• PAAA Virus File — How to Decrypt & Remove Ransomware
• VEPI Virus File — How to Decrypt & Remove Ransomware

German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian