Stop/Djvu Decryptor: How to Decrypt Files?

Stop/Djvu Decryptor is a specialized tool developed by Emsisoft, designed to assist in the recovery of files encrypted by the Stop/Djvu Ransomware. Stop/Djvu Ransomware is a type of malware that encrypts victims’ files using a strong encryption algorithm, making them inaccessible without the decryption key. The Decryptor tool aims to decrypt the files without having to pay the ransom to the cybercriminals.

The Stop/Djvu Decryptor

The Stop/Djvu Decryptor works by leveraging certain vulnerabilities or weaknesses in the encryption process employed by the ransomware. It attempts to recover the original files by reversing the encryption applied by the malware. The tool is regularly updated to address new variants of the Stop/Djvu Ransomware and enhance its effectiveness.

It is important to note that while the Decryptor has been successful in decrypting files for some victims, it may not work in all cases, especially if the ransomware used a particularly strong encryption method or if the files have been damaged. Therefore, it is recommended to always maintain proper backups of important files and implement preventive measures to protect against ransomware attacks.

What is Stop/Djvu Ransomware?

STOP/DJVU Ransomware encrypts victims’ files using the Salsa20 encryption algorithm, which is a robust cipher that poses a significant challenge to decryption without the correct key. The encrypted files are then given new extensions, such as “.bhui”, “.ahui”, “.bhtw”, “.bhgr”, among others.

The cybercriminals responsible for STOP/DJVU Ransomware demand a ransom payment to provide the decryption key needed to unlock the encrypted files. They typically leave a ransom note in the form of a text file on the desktop or within every folder containing encrypted files. The note provides instructions for paying the ransom and strongly advises against any attempts to remove the malware or decrypt the files without the proper decryption key.

It’s important to emphasize that paying the ransom does not guarantee the provision of the decryption key. There have been instances where cybercriminals failed to deliver the decryption key even after receiving the ransom payment. Therefore, taking preventive measures is essential to protect against ransomware attacks.

To safeguard your computer against STOP/DJVU Ransomware and other forms of ransomware, it is crucial to follow safe computing practices. This includes keeping your operating system and software up to date, refraining from opening suspicious email attachments, and only downloading software from reputable sources. Additionally, regular backup of important files to an external device or a cloud-based storage platform is highly recommended.

If you suspect that your computer has been infected with STOP/DJVU Ransomware, you should immediately disconnect from the internet to prevent the malware from spreading to other devices. Then, seek the assistance of a professional malware removal service to safely remove the malware from your system.

The Known Stop/Djvu Decryptor Updates

Updated 19 August 2021

The offline/private key for the .moqs variant of the STOP ransomware was added to the Emsisoft server.

Updated 12 Jule 2021

The .omfl, .geno, .nile .maas variants offline key was recovered by Emsisoft.

Updated 02 Jule 2021

The .sspq, .iqll, .ddsg variants offline key was recovered by Emsisoft. Any victims of these 3 variants that had files encrypted by the offline key can recover their files.

Updated 31 May 2020

The .covm variant offline key was recovered by Emsisoft and added to the Emsisoft Decryptor server.

Updated 01 May 2020

Emsisoft has announced that the offline keys for .opqz, .nppp and .npsk have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 06 Feb 2020

Emsisoft has announced that the offline keys for .alka and .repp have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 20 Jan 2020

Emsisoft Decryptor has obtained and uploaded to server new OFFLINE KEYS for the .nbes, .mkos STOP (Djvu) variant ransomware.

Updated 06 Jan 2020

List of the New Stop/Djvu variants for 148 variants that Emsisoft can decrypt.

.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote

Updated 02 Dec 2019

List of the New Stop/Djvu variants that Emsisoft can decrypt. FOR OFFLINE KEY ONLY!

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk

Updated 25 Nov 2019

Emsisoft Decryptor has obtained and uploaded to server OFFLINE KEYS for the following new STOP (Djvu) variant:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .lokf, .peet, .mbed, .kodg

Updated 9 Nov 2019

Decryptor v.1.0.0.1 by Emsisoft currently can decrypt NEW Stop/Djvu variant with file extension:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora, .coot, .derp

Terms: Files encrypted with OFFLINE KEY.

There are certain limitations regarding what files can be restored. Speaking of all versions of STOP Djvu, you can properly decrypt the information if they were ciphered through an offline key available with the developers of the Emsisoft Decryptor. As for Old Djvu, the files can also be decrypted using encrypted/original file pairs provided to the STOP Djvu Submission portal. Keep in mind that this does not apply to New Djvu that was elaborated after August 2019.

What is a “file pair”?

This is pair of files that are identical (as in they are the precise same data), except one duplicate, is encrypted, and the other is not. STOP Djvu Submission portal can analyze the differences between an encrypted file and an original copy of the same file, allowing it to determine how to decrypt that file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way to get their files back.

Restoring Your Files

1. Launch the decryption utility as an administrator and agree to the license terms by clicking the “Yes” button. Here is an example of the license terms:
   
2. After accepting the license terms, the main user interface of the decryptor will appear. Here is an example of the user interface:
   
3. The decryptor will automatically populate the available locations to decrypt based on the default settings. This includes the currently connected drives, as well as network drives. If you want to add extra locations, you can use the “Add” button.
4. The decryptor may offer various options specific to the malware family. You can find the currently available options in the Options tab, where you can activate or deactivate them. A detailed list of the active options will be provided.
5. Once you have added all the desired locations for decryption to the list, click the “Decrypt” button to initiate the decryption process. The main screen will display the status view, showing the active process and the decryption statistics of your data. Here is an example:
   
6. Once the decryption process is completed, the decryptor will notify you. If you need a report for your records, you can save it by selecting the “Save log” button. You also have the option to copy the report to your clipboard and paste it into emails or forum messages, if necessary.

Decryptor options

The decryptor at this moment performs the following options:

• Keep encrypted files
  Because the ransomware does not store any data regarding the unencrypted documents, the decryptor does not guarantee that the decrypted file will be identical to the initially encrypted one. Hence, based on the default settings, the decryptor will, for safety reasons, not delete any encrypted documents after they have been decrypted. If you would like the decryptor to delete any ciphered documents once they have been decrypted, it is possible to deactivate this feature. Note that this may be applicable if the space on your hard drive is limited.

Frequently Asked Questions

German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian