STOP/DJVU Ransomware (2024 Guide)

STOP/DJVU Ransomware
STOP/DJVU Ransomware
Written by Brendan Smith

The STOP/Djvu ransomware codifies the users’ data with the AES-256 algorithm (CFB mode). However, it does not encrypt the entire file, but rather approximately 5 MB in its beginning. Subsequently, it asks for a ransom that amounts to $980 in Bitcoin equivalent to restore the files.

The authors of the malware have Russian roots. The frauds use the Russian language and Russian words written in English and the domains registered through Russian domain-registration companies. The crooks most likely have allies in other countries.

DJVU Ransomware Technical Info

Many users indicate that the cryptoware is injected after downloading repackaged and infected installers of popular programs, pirated activators of MS Windows and MS Office (such as KMSAuto Net, KMSPico, etc.) distributed by the frauds through popular websites. This relates to both legitimate free applications and illegal pirated software.

The cryptoware may also be spread through hacking using poorly protected RDP configuration via email spam and malicious attachments, misleading downloads, exploits, web injectors, faulty updates, and repackaged and infected installers.

The list of file extensions subject to encryption:

  • MS Office or OpenOffice documents
  • PDF and text files
  • Databases
  • Photos, Music, Video or Image files
  • Archives
  • Application files, etc.

STOP/DJVU Ransomware drop files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt. The .djvu* and newer variants: _openme.txt, _open_.txt, or _readme.txt

Stages of cryptoware infection

  1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
  2. If С&C is unavailable (when the PC is not connected to the server’s Internet does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
  3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and implement the computer network attack.
  4. Upon successful file encryption, the cipherer is autonomously removed using the delself.bat command file.

Associated Items

C:\Users\Admin\AppData\Local\3371e4e8-b5a0-4921-b87b-efb4e27b9c66\build3.exe
C:\Users\Admin\AppData\Local\Temp\C1D2.dll
C:\Users\Admin\AppData\Local\Temp\19B7.exe
C:\Users\Admin\AppData\Local\Temp\2560.exe
Tasks: "Azure-Update-Task"
Registry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Network Traffic

clsomos.com.br
o36fafs3sn6xou.com
rgyui.top
starvestitibo.org
pelegisr.com
furubujjul.net
api.2ip.ua
morgem.ru
winnlinne.com

Antivirus detection

Crackithub.com, kmspico10.com, crackhomes.com, and piratepc.net are some of the STOP Ransomware distribution sites. Any program downloaded from there can be infected with this ransomware!

In addition to encrypting a victim’s files, the DJVU family has also install the Azorult Spyware to steal account credentials, cryptocurrency wallets, desktop files, and more.

How to decrypt STOP/DJVU Ransomware files?

Djvu Ransomware essentially has two versions.

  1. Old Version: Most older extensions (from “.djvu” up to “.carote (v154)”) decryption for most of these versions was previously supported by STOPDecrypter tool in case if infected files with an offline key. That same support has been incorporated into the new Emsisoft Decryptor for these old Djvu variants. The decrypter will only decode your files without submitting file pairs if you have an OFFLINE KEY.
  2. New Version: The newest extensions were released around the end of August 2019 after the ransomware was changed. This includes .nury, nuis, tury, tuis, etc….these new versions were supported only with Emsisoft Decryptor.

What is a “file pair”?

This is pair of files that are identical (as in they are the same precise data), except one duplicate is encrypted, and the other is not.

How to identify offline or online key?

The SystemID/PersonalID.txt file created by STOP (DJVU) on your C drive contains all of the IDs used in the encryption process.

Almost every offline ID ends with “t1”. Encryption by an OFFLINE KEY can be verified by viewing the Personal ID in the _readme.txt note and the C:\SystemID\PersonalID.txt file.

The quickest way to check if you were infected with an OFFLINE or ONLINE KEY is to:

  1. Find the PesonalID.txt file located in the folder C:\SystemID\ on the infected machine and check to see if there is only one or multiple IDs.
  2. If the ID ends with “t1” there is a chance that some of your files were encrypted by the OFFLINE KEY and are recoverable.
  3. If none of the IDs listed end with “t1”, then all of your files were most likely encrypted with an ONLINE KEY and are not recoverable now.

Online & offline keys – What does it mean?

OFFLINE KEY indicates that the files are encrypted in offline mode. After discovering this key, it will be added to the decryptor and that files can be decrypted.

ONLINE KEY – was generated by the ransomware server. It means that the ransomware server generated a random set of keys used to encrypt files. Decrypt such files is not possible.

Encryption with the RSA algorithm used in the latest DJVU variants does not allow to use of a pair of “encrypted + original” files to train the decryption service. This certain type of encryption is resistant to cracking, and it is impossible to decrypt files without a private key. Even a supercomputer will need 100`000 years to calculate such a key.

Encrypted files extension

I. STOP group

STOP, SUSPENDED, WAITING, PAUSA, CONTACTUS, DATASTOP, STOPDATA, KEYPASS, WHY, SAVEfiles, DATAWAIT, INFOWAIT

II. Puma group

puma, pumax, pumas, shadow

III. Djvu group

djvuu, uudjvu, blower, tfudet, promok, djvut, djvur, klope, charcl, doples, luces, luceq, chech, proden, drume, tronas, trosak, grovas, grovat, roland, refols, raldug, etols, guvara, browec, norvas, moresa, verasto, hrosas, kiratos, todarius, hofos, roldat, dutan, sarut, fedasot, forasom, berost, fordan, codnat, codnat1, bufas, dotmap, radman, ferosas, rectot, skymap, mogera, rezuc, stone, redmat, lanset, davda, poret, pidon, heroset, myskle, boston, muslat, gerosan, vesad, horon, neras, truke, dalle, lotep, nusar, litar, besub, cezor, lokas, godes, budak, vusad, herad, berosuce, gehad, gusau, madek, tocue, darus, lapoi, todar, dodoc, novasof, bopador, ntuseg, ndarod, access, format, nelasod, mogranos, nvetud, cosakos, kovasoh, lotej, prandel, zatrov, masok, brusaf, londec, kropun, londec, krusop, mtogas, nasoh, coharos, nacro, pedro, nuksus, vesrato, cetori, masodas, stare, carote, shariz,

IV. Gero group (RSA)

gero, hese, xoza, seto, peta, moka, meds, kvag, domn, karl, nesa, boot, noos, kuub, mike, reco, bora, leto, nols, werd, coot, derp, nakw, meka, toec, mosk, lokf, peet, grod, mbed, kodg, zobm, rote, msop, hets, righ, gesd, merl, mkos, nbes, piny, redl, kodc, nosu, reha, topi, npsg, btos, repp, alka, bboo, rooe, mmnn, ooss, mool, nppp, rezm, lokd, foop, remk, npsk, opqz, mado, jope, mpaj, lalo, lezp, qewe, mpal, sqpc, mzlq, koti, covm, pezi, zipe, nlah, kkll, zwer nypd, usam, tabe, vawe, moba, pykw, zida, maas, repl, kuus, erif, kook, nile, oonn, vari, boop, geno, kasp, .ogdo, .npph .kolz, .copa, .lyli, .moss, .foqe, .mmpa, .efji, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .qlkm, .coos, .wbxd, .pola .cosd, .plam, .ygkz, .cadq, .ribd, .tirp, .reig, .ekvf, .enfp, .ytbn, .fdcz, .urnb, .lmas, .wrui, .rejg or .pcqq, .igvm, nusm, ehiz, .paas, .pahd, .mppq, .qscx, .sspq, .iqll, .ddsg, .piiq, .neer, .miis, .leex, .zqqw, .lssr, .pooe, .zzla, .wwka, .gujd, .ufwj, .moqs, .hhqa, .aeur, .guer, .nooa, .muuq, .reqg, .hoop, .orkf, .iwan, .lqqw, .efdc, .wiot, .koom, .rigd, .tisc, .nqsq, .irjg, .vtua, .maql, .zaps, .rugj, .rivd, .cool, .palq, .stax, .irfk, .qdla, .qmak, .utjg, .futm, .iisa, .pqgs, .robm, .rigj, .moia, .yqal, .wnlu, .hgsh, .mljx, .yjqs, .shgv, .hudf, .nnqp, .xcmb, .sbpg, .miia, .loov, .dehd, .vgkf, .nqhd, .zaqi, .vfgj, .fhkf, .maak, .qqqw, .yoqs, .qqqe, .bbbw, .maiv, .bbbe, .bbbr, .qqqr, .avyu, .cuag, .iips, .ccps, .qnty, .naqi, .ckae, .eucy, .gcyi, .ooii, .rtgf, .jjtt, .fgui, .vgui, .fgnh, .sdjm, .dike, .xgpr, .iiof, .ooif, .vyia, .qbaa, .fopa, .vtym, .ftym, .bpqd, .xcbg, .kqgs, .iios, .vlff, .eyrv, .uigd, .rguy, .mmuz, .kkia, .hfgd, .ssoi, .pphg, .wdlo, .kxde, .snwd, .mpag, .voom, .gtys, .udla, .tuid, .uyjh, .qall, .qpss, .hajd, .ghas, .dqws, .nuhb, .dwqs, .ygvb, .msjd, .dmay, .jhdd, .jhbg, .dewd, .jhgn, .ttii, .mmob, .hhjk, .sijr, .bbnm, .xcvf, .egfg, .mine, .kruu, .byya, .ifla, .errz, .hruu, .dfwe, .fdcv, .fefg, .qlln, .nnuz, .zpps, .ewdf, .zfdv, .uihj, .zdfv, .rryy, .rrbb, .rrcc, .eegf, .bnrs, .bbzz, .bbyy, .bbii, .efvc, .hkgt, .eijy, .lloo, .lltt, .llee, .llqq, .dkrf, .eiur, .ghsd, .jjyy, .jjll, .jjww, .hhwq, .hhew, .hheo, .hhyu, .ggew, .ggyu, .ggeo, .ggwq, .hhye, .ooxa, .oori, .vveo, .vvwq, .vvew, .vveq, .vvyu, .dnet, .qstx, .ccew, .ccyu, .cceq, .ccwq, .cceo, .ccza, .qqmt, .qqlo, .qqlc, .oxva, .qqri, .qqjj, .qqkk, .qqpp, .xbtl, .oopu, .oodt, .oovb, .mmpu, .mmvb, .mmdt, .eewt, .eemv, .enus, .eeyu, .epub, .eebn, .stop, .aamv, .aawt, .aayu, .aabn, .oflg, .ofww, .ofoq, .adlg, .adoq, .adww, .tohj, .towz, .powz, .pohj, .tury, .tuis, .tuow, .nury, .nuis, .nuow, .nury, .powd, .pozq, .bowd, .bozq, .zatp, .zate, .fatp, .fate, .tcvp, .tcbu, .kcvp, .kcbu, .uyro, .uyit, .mppn, .mbtf, .manw, .maos, .matu, .btnw, .btos, .bttu, .isal, .iswr, .isza, .znsm, .znws, .znto, .bpsm, .bpws, .bpto, .zoqw, .zouu, .poqw, .pouu, .mzqw, .mztu, .mzop, .assm, .erqw, .erop, .vvmm, .vvoo, .hhmm, .hhee, .hhoo, .iowd, .ioqa, .iotr, .qowd, .qoqa, .qotr, .gosw, .goaq, .goba, .cosw, .coaq, .coba, craa, .qazx, .qapo, .qarj, .dazx, .dapo, .darj, .tycx, .tywd, .typo, .tyos, .jycx, .jywd, .jypo, .jyos, .nifr, .nitz, .niwm, .kiop, .kifr, .kitz, .kiwm, .boty, .boza, .coty, .coza, .fofd, .foty .foza, .sato, .saba, .qopz, .qore, .gash, .gatz, .xash, .xatz, .xaro, .gaze, .gatq, .gapo, .vaze, .vatq, .vapo, .werz, .weqp, .weon, .nerz, .neqp, .neon, .ahtw, .ahgr, .ahui, .bhtw, .bhgr, .bhui, .tghz, .tgpo, .tgvv, .aghz, .agpo, .agvv, .wazp, .waqq, .wayn, .gazp, .gaqq, .gayn, .miza, .mitu, .miqe, .kizu, .kitu, .kiqu, .wsaz, .wspn, .wsuu, .poaz, .popn, .pouu, .yyza, .yytw, .yyza, .tasa, .taqw, .taoy, .jasa, .jaqw, .jaoy, .wzqw, .wzer, .wzoq, .wztt, .nzqw, .nzer, .nzoq, .nztt, .teza, .rzkd, .rzfu, .rzew, .rzml, .hgkd, .hgfu, .hgew, .hgml, .oopl, .ooty, .oohu, .ooza, .wwpl, .wwty, .wwhu, .wwza, .azqt, .azre, .azop, .azhi, .mzqt, .mzre, .mzop, .mzhi, .ttwq, .ttza, .ttap, .ttrd, .mlwq, .mlza, .mlap, .mlrd, .ptqw, .ptrz, .pthh, .itqw, .itrz, .ithh, .zpas, .zpww, .zput, .ppvs, .ppvw, .ppvt, .yzaq, .yzqe, .yzoo, jzeq, .jzie, .eqew, .eqza, .iicc, .gyew, .gyca, .gycc, .jazi, .jawr, .nbzi, .nbwr, .hhuy, .hhaz, .ljuy, .ljaz, .loqw, .lomz, .cdqw, .cdmx, .cdwe, .cdaz, .cdpo, .cdtt, .cdcc, .cdxx, .ldhy.

.btos (V0618) Dec 2022 <- used previously .btos (V0202) Jan 2020

.mzqw (V0635) Jan 2023 <- used previously .mzqw (V0625) Jan 2023

.pouu (V0755) Jul 2023 <- used previously .pouu (V0634) Jan 2023

.mzop (V0796) Sep 2023 <- used previously .mzop (V0637) Jan 2023

The list of known DJVU e-mail:

support@fishmail.top, datarestorehelp@airmail.cc, manager@mailtemp.ch, helprestoremanager@airmail.cc, helpteam@mail.ch, helpdatarestore@firemail.cc, helpmanager@mail.ch, helpmanager@firemail.cc, helpmanager@iran.ir, datarestorehelp@firemail.cc, datahelp@iran.ir, restorefiles@firemail.cc, salesrestoresoftware@firemail.cc, salesrestoresoftware@gmail.com, amundas@firemail.cc, gerentosrestore@firemail.cc, gerentoshelp@firemail.cc

The list of latest STOP(DJVU) Ransomware

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
About DJVU/STOP Ransomware
Article
About DJVU/STOP Ransomware
Description
DJVU codifies the users' data with the AES-556. However, it does not encrypt the entire file, but rather approximately 5 MB in its beginning.
Author
Copyright
HowToFix.Guide
 

German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

81 Comments

  1. vmph July 15, 2019
    • Brendan Smith July 15, 2019
  2. Ricardo August 16, 2019
  3. ing August 23, 2019
  4. Marc September 13, 2019
  5. vikram September 20, 2019
  6. Brendan Smith November 6, 2019
  7. Karan November 9, 2019
  8. Milos Marinkovic November 15, 2019
  9. Jamal Haider November 16, 2019
  10. Merodak K. November 17, 2019
  11. JuanD Carmona November 19, 2019
  12. Gerra November 20, 2019
  13. Masud Rana November 24, 2019
  14. Milan November 25, 2019
    • Stefan December 2, 2019
  15. Dharun November 26, 2019
    • Cristina January 3, 2020
  16. Tamer November 28, 2019
  17. vijay December 12, 2019
  18. Nishchay Shah December 17, 2019
  19. DG December 19, 2019
    • Brendan Smith August 22, 2021
  20. akhyar December 24, 2019
  21. EDGAR January 3, 2020
  22. Joselito Vital January 6, 2020
  23. Aryan January 20, 2020
  24. Bane January 22, 2020
  25. Sabir January 23, 2020
  26. Shree Krishna February 3, 2020
  27. Jean Quan March 20, 2020
  28. Paulo Moutinho April 8, 2020
    • Usman May 23, 2020
  29. eric joseph May 15, 2020
  30. Rodli June 2, 2020
  31. sarii June 4, 2020
  32. phyo June 7, 2020
  33. Khanh June 29, 2020
  34. Pravopis July 19, 2020
  35. slavo July 19, 2020
  36. Akshay August 2, 2020
  37. pedro August 16, 2020
  38. Peter September 2, 2020
  39. Peter September 2, 2020
  40. amr September 29, 2020
  41. Manuel October 20, 2020
  42. Ander October 29, 2020
  43. Jiju November 5, 2020
  44. soheil maleki November 6, 2020
  45. sera November 14, 2020
  46. Nalinda November 15, 2020
  47. Ayu November 17, 2020
  48. AHGOGOGO November 18, 2020
  49. Michal November 18, 2020
  50. asep harirohman November 19, 2020
  51. vinayak November 22, 2020
  52. rider November 29, 2020
  53. caner January 10, 2021
  54. caner January 10, 2021
  55. Nic Angelo January 12, 2021
  56. Joe January 19, 2021
  57. tinh August 17, 2021
    • Brendan Smith August 22, 2021
  58. Asad Ellahi Khan August 27, 2021
  59. sulaiman September 9, 2021
  60. SILVINEI MARTINS February 11, 2022
  61. Leonardo March 16, 2022
  62. JAIME April 11, 2022
  63. saad July 22, 2022
  64. Julio Velazquez November 28, 2022
  65. Baburam Khatiwada January 9, 2023
  66. KENNY April 12, 2023
  67. yobi October 31, 2023
  68. Minh Tan November 8, 2023
  69. Zoran Bajic December 17, 2023
  70. chandra January 26, 2024
  71. Sean February 4, 2024
  72. MARCO VINICIO SANDOVAL May 17, 2024

Leave a Reply

Sending