DJVU/STOP General information
The DJVU/STOP ransomware codifies the users’ data with the AES-256 algorithm (CFB mode). However, it does not encrypt the entire file, but rather approximately 5 MB in its beginning. Subsequently, it asks for the ransom that amounts to $980 in Bitcoin equivalent to restore the files.
The authors of the malware have Russian roots. The frauds use Russian language and Russian words written in English, as well as the domains registered through Russian domain-registration companies. The crooks most likely have allies in other countries.
DJVU Technical details
Many users indicate that the cryptoware is injected after downloading repackaged and infected installers of popular programs, pirated activators of MS Windows and MS Office (such as KMSAuto Net, KMSPico, etc.) distributed by the frauds through popular websites. This relates to both legitimate free applications and illegal pirated software.
The cryptoware may also be spread through hacking by means of poorly protected RDP configuration, via email spam and malicious attachments, misleading downloads, exploits, web injectors, faulty updates, repackaged and infected installers.
The list of file extensions subject to encryption:
- MS Office or OpenOffice documents
- PDF and text files
- Photos, Music, Video or Image files
- Application files, etc.
STOP/DJVU Ransomware drop files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt. The .djvu* and newer variants: _openme.txt, _open_.txt or _readme.txt
Stages of cryptoware infection:
- Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
- If С&C is unavailable (in times when the PC is not connected to the Internet of the server does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
- The cryptoware uses rdpclip.exe to replace the legitimate Windows file and for implementing the attack on the computer network.
- Upon successful file encryption, the cipherer is autonomously removed by means of the delself.bat command file.
%LocalAppData%\[guid]\[random_numbers]tmp.exe %LocalAppData%\[guid]\1.exe %LocalAppData%\[guid]\2.exe %LocalAppData%\[guid]\3.exe %LocalAppData%\[guid]\5.exe %LocalAppData%\[guid]\updatewin.exe C:\Windows\System32\Tasks\Time Trigger Task
Associated Registry Entries:
- BootkitX-gen [Rtk]
- FileRepMalware [Wrm]
- Win32:AceCrypter-T [Cryp]
In addition to encrypting a victim’s files, the DJVU family has also install the Azorult Spyware to steal account credentials, cryptocurrency wallets, desktop files, and more.
How to decrypt DJVU files?
Djvu Ransomware essentially has two versions.
- Old Version: Most older extensions (from “.djvu” up to “.carote (v154)”) decryption for most of these versions was previously supported by STOPDecrypter tool in case if infected files with an offline key. That same support has been incorporated into the new Emsisoft Decryptor for these old Djvu variants. The decrypter will only decode your files without submitting file pairs if you have an OFFLINE KEY.
- New Version: The newest extensions released around the end of August 2019 after the ransomware was changed. This includes .coharos, .shariz, .gero, .hese, .xoza, .seto, peta, .moka, .meds, .kvag, .domm, .karl, .nesa, .boot, etc….these new versions were supported only with Emsisoft Decryptor.
What is a “file pair”?
This is pair of files that are identical (as in they are the precise same data), except one duplicate is encrypted and the other is not.
How to identify offline or online key?
The SystemID/PersonalID.txt file created by STOP (DJVU) on your C drive contains all of the ID’s used in the encryption process.
Almost every offline ID ends with “t1”. Encryption by an OFFLINE KEY can be verified by viewing the Personal ID in the _readme.txt note and the C:\SystemID\PersonalID.txt file.
The quickest way to check if you were infected with an OFFLINE or ONLINE KEY is to:
- Find the PesonalID.txt file located in the folder C:\SystemID\ on the infected machine and check to see if there is only one or multiple IDs.
- If the ID ends with “t1” there is a chance that some or your files were encrypted by the OFFLINE KEY and are recoverable.
- If none of the ID’s listed ends with “t1” then all of your files were most likely encrypted with an ONLINE KEY and are not recoverable at this time.
Online & offline keys – What does it mean?
OFFLINE KEY indicates that the files are encrypted in offline mode. After discovering this key, it will be added to the decryptor and that files can be decrypted.
ONLINE KEY – was generated by the ransomware server. It means that the ransomware server generated a random set of keys that were used to encrypt files. Decrypt such files is not possible.
Encryption with the RSA algorithm used in the latest DJVU variants does not allow to use of a pair of “encrypted + original” files to train the decryption service. This secure type of encryption is resistant to cracking, and it is impossible to decrypt files without a private key. Even a supercomputer will need 100`000 years to calculate such a key.
The full list of known DJVU files extension:
I. STOP group
STOP, SUSPENDED, WAITING, PAUSA, CONTACTUS, DATASTOP, STOPDATA, KEYPASS, WHY, SAVEfiles, DATAWAIT, INFOWAIT
II. Puma group
puma, pumax, pumas, shadow
III. Djvu group
djvuu, uudjvu, blower, tfudet, promok, djvut, djvur, klope, charcl, doples, luces, luceq, chech, proden, drume, tronas, trosak, grovas, grovat, roland, refols, raldug, etols, guvara, browec, norvas, moresa, verasto, hrosas, kiratos, todarius, hofos, roldat, dutan, sarut, fedasot, forasom, berost, fordan, codnat, codnat1, bufas, dotmap, radman, ferosas, rectot, skymap, mogera, rezuc, stone, redmat, lanset, davda, poret, pidon, heroset, myskle, boston, muslat, gerosan, vesad, horon, neras, truke, dalle, lotep, nusar, litar, besub, cezor, lokas, godes, budak, vusad, herad, berosuce, gehad, gusau, madek, tocue, darus, lapoi, todar, dodoc, novasof, bopador, ntuseg, ndarod, access, format, nelasod, mogranos, nvetud, cosakos, kovasoh, lotej, prandel, zatrov, masok, brusaf, londec, kropun, londec, krusop, mtogas, nasoh, coharos, nacro, pedro, nuksus, vesrato, cetori, masodas, stare, carote, shariz,
IV. Gero group (RSA)
gero, hese, xoza, seto, peta, moka, meds, kvag, domn, karl, nesa, boot, noos, kuub, mike, reco, bora, leto, nols, werd, coot, derp, nakw, meka, toec, mosk, lokf, peet, grod, mbed, kodg, zobm, rote, msop, hets, righ, gesd, merl, mkos, nbes, piny, redl, kodc, nosu, reha, topi, npsg, btos, repp, alka, bboo, rooe, mmnn, ooss, mool, nppp, rezm, lokd, foop, remk, npsk, opqz, mado, jope, mpaj, lalo, lezp, qewe, mpal, sqpc, mzlq, koti, covm, pezi, zipe, nlah, kkll, zwer nypd, usam, tabe, vawe, moba, pykw, zida, maas, repl, kuus, erif, kook, nile, oonn, vari, boop, geno, kasp, .ogdo, .npph .kolz, .copa, .lyli, .moss, .foqe, .mmpa, .efji, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .qlkm, .coos, .wbxd, .pola .cosd, .plam, .ygkz, .cadq, ribd, .tirp, .reig, .ekvf, .enfp, .ytbn, .fdcz, .urnb, .lmas, .wrui, .rejg or .pcqq, .igvm, nusm, ehiz, .paas, .pahd, .mppq, .qscx, .sspq, .iqll, .ddsg, .piiq, .neer, .miis, .leex, .zqqw, .lssr, .pooe, .zzla, .wwka, .gujd, .ufwj, .moqs, .hhqa, .aeur, .guer, .nooa, .muuq, .reqg, .hoop, .orkf, .iwan, .lqqw, .efdc, .wiot, .koom, .rigd, .tisc, .nqsq, .irjg, .vtua, .maql, .zaps, .rugj, .rivd, .cool, .palq, .stax, .irfk, .qdla, .qmak, .utjg, .futm, .iisa, .pqgs, .robm, .rigj, .moia, .yqal, .wnlu, .hgsh, .mljx, .yjqs, .shgv, .hudf.
The list of known DJVU e-mail:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
The list of latest STOP(DJVU) Ransomware.
- FEFG VIRUS (.fefg FILE) RANSOMWARE — FIX & DECRYPT DATA
- FDCV VIRUS (.fdcv FILE) RANSOMWARE — FIX & DECRYPT DATA
- DFWE VIRUS (.dfwe FILE) RANSOMWARE — FIX & DECRYPT DATA
- HRUU VIRUS (.hruu FILE) RANSOMWARE — FIX & DECRYPT DATA
- ERRZ VIRUS (.errz FILE) RANSOMWARE — FIX & DECRYPT DATA
- IFLA VIRUS (.ifla FILE) RANSOMWARE — FIX & DECRYPT DATA
- BYYA VIRUS (.byya FILE) RANSOMWARE — FIX & DECRYPT DATA
- KRUU VIRUS (.kruu FILE) RANSOMWARE — FIX & DECRYPT DATA
- MINE VIRUS (.mine FILE) RANSOMWARE — FIX & DECRYPT DATA
- EGFG VIRUS (.egfg FILE) RANSOMWARE — FIX & DECRYPT DATA
User Review( votes)