How to Decrypt Files Locked by STOP/DJVU Ransomware

STOP/DJVU Ransomware is a malicious program that encrypts victims’ files with the Salsa20 encryption algorithm. This encryption algorithm is a high-strength cipher that is difficult to break without the decryption key. Once the files are encrypted, STOP/DJVU Ransomware adds one of dozens of extensions to the filenames, such as “.wrui”, “.pcqq”, “.ytbn”, “.nusm”, and so on.

The cybercriminals behind STOP/DJVU Ransomware demand a ransom payment in exchange for the decryption key to unlock the encrypted files. The ransom note is usually a text file that is placed on the desktop or in every folder containing encrypted files. The note contains instructions on how to pay the ransom and warns against attempting to remove the malware or decrypt the files without the decryption key.

The ransom note “_readme.txt” contains the following text:

ATTENTION!

Don't worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-WJa63R98Ku

Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

helpmanager@mail.ch

Reserve e-mail address to contact us:

restoremanager@firemail.cc

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

It is important to note that paying the ransom does not guarantee that the decryption key will be provided, and there have been instances where the cybercriminals did not deliver the decryption key even after receiving the ransom payment. Therefore, it is crucial to take preventive measures to protect against ransomware attacks.

To prevent STOP/DJVU Ransomware and other types of ransomware from infecting your computer, you should follow safe computing practices such as keeping your operating system and software up to date, avoiding opening suspicious email attachments, and downloading software from reputable sources. Additionally, you should regularly backup your important files to an external device or a cloud-based storage platform.

If you suspect that your computer has been infected with STOP/DJVU Ransomware, you should immediately disconnect from the internet to prevent the malware from spreading to other devices. Then, seek the assistance of a professional malware removal service to safely remove the malware from your system.

Updated 19 August 2021

The offline/private key for the .moqs variant of the STOP ransomware was added to the Emsisoft server.

Updated 12 Jule 2021

The .omfl, .geno, .nile .maas variants offline key was recovered by Emsisoft.

Updated 02 Jule 2021

The .sspq, .iqll, .ddsg variants offline key was recovered by Emsisoft. Any victims of these 3 variants that had files encrypted by the offline key can recover their files.

Updated 31 May 2020

The .covm variant offline key was recovered by Emsisoft and added to the Emsisoft Decryptor server.

Updated 01 May 2020

Emsisoft has announced that the offline keys for .opqz, .nppp and .npsk have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 06 Feb 2020

Emsisoft has announced that the offline keys for .alka and .repp have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 20 Jan 2020

Emsisoft Decryptor has obtained and uploaded to server new OFFLINE KEYS for the .nbes, .mkos STOP (Djvu) variant ransomware.

Updated 06 Jan 2020

List of the New Stop/Djvu variants for 148 variants that Emsisoft can decrypt.

.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote

Updated 02 Dec 2019

List of the New Stop/Djvu variants that Emsisoft can decrypt. FOR OFFLINE KEY ONLY!

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk

Updated 25 Nov 2019

Emsisoft Decryptor has obtained and uploaded to server OFFLINE KEYS for the following new STOP (Djvu) variant:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .lokf, .peet, .mbed, .kodg

Updated 9 Nov 2019

Decryptor v.1.0.0.1 by Emsisoft currently can decrypt NEW Stop/Djvu variant with file extension:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora, .coot, .derp

Terms: Files encrypted with OFFLINE KEY.

There are certain limitations regarding what files can be restored. Speaking of all versions of STOP Djvu, you can properly decrypt the information if they were ciphered through an offline key available with the developers of the Emsisoft Decryptor. As for Old Djvu, the files can also be decrypted using encrypted/original file pairs provided to the STOP Djvu Submission portal. Keep in mind that this does not apply to New Djvu that was elaborated after August 2019.

What is a “file pair”?

This is pair of files that are identical (as in they are the precise same data), except one duplicate, is encrypted, and the other is not. STOP Djvu Submission portal can analyze the differences between an encrypted file and an original copy of the same file, allowing it to determine how to decrypt that file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way to get their files back.

How to restore your files?

1. Start downloading the decryption tool¹ through the same website that developed this “How To” guide.
2. Make sure to launch the decryption utility as an administrator. You need to agree with the license terms that will come up. For this purpose, click on the “Yes” button:
3. As soon as you accept the license terms, the main decryptor user interface comes up:
4. Based on the default settings, the decryptor will automatically populate the available locations to decrypt the currently available drives (the connected ones), including the network drives. Extra (optional) locations can be selected with the help of the “Add” button.
5. Decryptors normally suggest several options considering the specific malware family. The currently possible options are presented in the Options tab and can be activated or deactivated there. You may locate a detailed list of the currently active Options below.
6. As soon as you add all the desired locations for decryption into the list, click on the “Decrypt” button to initiate the decryption procedure. Note that the main screen may turn you to a status view, letting you know of the active process and the decryption statistics of your data:
7. The decryptor will notify you as soon as the decryption procedure is completed. If you need the report for your personal papers, you can save it by choosing the “Save log” button. Note that it is also possible to copy it directly to your clipboard and to paste it into emails or forum messages if you need to do so.

Decryptor options

The decryptor at this moment performs the following options:

• Keep encrypted files
  Because the ransomware does not store any data regarding the unencrypted documents, the decryptor does not guarantee that the decrypted file will be identical to the initially encrypted one. Hence, based on the default settings, the decryptor will, for safety reasons, not delete any encrypted documents after they have been decrypted. If you would like the decryptor to delete any ciphered documents once they have been decrypted, it is possible to deactivate this feature. Note that this may be applicable if the space on your hard drive is limited.

Frequently Asked Questions

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.

DOWNLOAD NOW

GridinSoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | GridinSoft

Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

1. DJVU Decryption Tool: https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu

Article

How to decrypt DJVU Ransomware files?

Description

The newest version DJVU Ransomware (released around the end of August 2019) supported only the Emsisoft Decryptor tool. Files can be properly decrypted if they were encrypted by an offline key.

Author

Brendan Smith

Copyright

HowToFix.Guide

 

German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian