Stop/Djvu Decryptor is a specialized tool developed by Emsisoft, designed to assist in the recovery of files encrypted by the Stop/Djvu Ransomware. Stop/Djvu Ransomware is a type of malware that encrypts victims’ files using a strong encryption algorithm, making them inaccessible without the decryption key. The Decryptor tool aims to decrypt the files without having to pay the ransom to the cybercriminals.
The Stop/Djvu Decryptor
The Stop/Djvu Decryptor works by leveraging certain vulnerabilities or weaknesses in the encryption process employed by the ransomware. It attempts to recover the original files by reversing the encryption applied by the malware. The tool is regularly updated to address new variants of the Stop/Djvu Ransomware and enhance its effectiveness.
It is important to note that while the Decryptor has been successful in decrypting files for some victims, it may not work in all cases, especially if the ransomware used a particularly strong encryption method or if the files have been damaged. Therefore, it is recommended to always maintain proper backups of important files and implement preventive measures to protect against ransomware attacks.
What is Stop/Djvu Ransomware?
STOP/DJVU Ransomware encrypts victims’ files using the Salsa20 encryption algorithm, which is a robust cipher that poses a significant challenge to decryption without the correct key. The encrypted files are then given new extensions, such as “.bhui”, “.ahui”, “.bhtw”, “.bhgr”, among others.
The cybercriminals responsible for STOP/DJVU Ransomware demand a ransom payment to provide the decryption key needed to unlock the encrypted files. They typically leave a ransom note in the form of a text file on the desktop or within every folder containing encrypted files. The note provides instructions for paying the ransom and strongly advises against any attempts to remove the malware or decrypt the files without the proper decryption key.
It’s important to emphasize that paying the ransom does not guarantee the provision of the decryption key. There have been instances where cybercriminals failed to deliver the decryption key even after receiving the ransom payment. Therefore, taking preventive measures is essential to protect against ransomware attacks.
To safeguard your computer against STOP/DJVU Ransomware and other forms of ransomware, it is crucial to follow safe computing practices. This includes keeping your operating system and software up to date, refraining from opening suspicious email attachments, and only downloading software from reputable sources. Additionally, regular backup of important files to an external device or a cloud-based storage platform is highly recommended.
If you suspect that your computer has been infected with STOP/DJVU Ransomware, you should immediately disconnect from the internet to prevent the malware from spreading to other devices. Then, seek the assistance of a professional malware removal service to safely remove the malware from your system.
The Known Stop/Djvu Decryptor Updates
Updated 19 August 2021
The offline/private key for the .moqs variant of the STOP ransomware was added to the Emsisoft server.
Updated 12 Jule 2021
Updated 02 Jule 2021
Updated 31 May 2020
The .covm variant offline key was recovered by Emsisoft and added to the Emsisoft Decryptor server.
Updated 01 May 2020
Updated 06 Feb 2020
Updated 20 Jan 2020
Updated 06 Jan 2020
List of the New Stop/Djvu variants for 148 variants that Emsisoft can decrypt.
.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote
Updated 02 Dec 2019
List of the New Stop/Djvu variants that Emsisoft can decrypt. FOR OFFLINE KEY ONLY!
Updated 25 Nov 2019
Emsisoft Decryptor has obtained and uploaded to server OFFLINE KEYS for the following new STOP (Djvu) variant:
Updated 9 Nov 2019
Decryptor v.184.108.40.206 by Emsisoft currently can decrypt NEW Stop/Djvu variant with file extension:
Terms: Files encrypted with OFFLINE KEY.
There are certain limitations regarding what files can be restored. Speaking of all versions of STOP Djvu, you can properly decrypt the information if they were ciphered through an offline key available with the developers of the Emsisoft Decryptor. As for Old Djvu, the files can also be decrypted using encrypted/original file pairs provided to the STOP Djvu Submission portal. Keep in mind that this does not apply to New Djvu that was elaborated after August 2019.
What is a “file pair”?
This is pair of files that are identical (as in they are the precise same data), except one duplicate, is encrypted, and the other is not. STOP Djvu Submission portal can analyze the differences between an encrypted file and an original copy of the same file, allowing it to determine how to decrypt that file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way to get their files back.
Restoring Your Files
- Begin by downloading the decryption tool from the same website that developed this “How To” guide. You can find the DJVU Decryption Tool here: https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu.
- Launch the decryption utility as an administrator and agree to the license terms by clicking the “Yes” button. Here is an example of the license terms:
- After accepting the license terms, the main user interface of the decryptor will appear. Here is an example of the user interface:
- The decryptor will automatically populate the available locations to decrypt based on the default settings. This includes the currently connected drives, as well as network drives. If you want to add extra locations, you can use the “Add” button.
- The decryptor may offer various options specific to the malware family. You can find the currently available options in the Options tab, where you can activate or deactivate them. A detailed list of the active options will be provided.
- Once you have added all the desired locations for decryption to the list, click the “Decrypt” button to initiate the decryption process. The main screen will display the status view, showing the active process and the decryption statistics of your data. Here is an example:
- Once the decryption process is completed, the decryptor will notify you. If you need a report for your records, you can save it by selecting the “Save log” button. You also have the option to copy the report to your clipboard and paste it into emails or forum messages, if necessary.
The decryptor at this moment performs the following options:
- Keep encrypted files
Because the ransomware does not store any data regarding the unencrypted documents, the decryptor does not guarantee that the decrypted file will be identical to the initially encrypted one. Hence, based on the default settings, the decryptor will, for safety reasons, not delete any encrypted documents after they have been decrypted. If you would like the decryptor to delete any ciphered documents once they have been decrypted, it is possible to deactivate this feature. Note that this may be applicable if the space on your hard drive is limited.
Frequently Asked Questions
The decryptor requires version 4.5.2 or newer of the Microsoft .NET Framework, which could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this) and then trying the decryptor again.
When you run the decryptor, it looks for encrypted files. Therefore, it will say “Starting” until it can find some. If the decryptor remains stuck on “Starting” for a long time, this means it cannot find any encrypted files.
JPEG/JPG images have a format oddity that causes file pairs to be specific to each picture source rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decryptor will only be able to decrypt files from the camera that the file pair came from. Therefore, to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you’ve obtained those pictures from.
It’s an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this:
The STOP Djvu ransomware encrypts only the first 150KB of files. So MP3 files are rather large. Some media players (Winamp, for example) may be able to play the files, but – the first 3-5 seconds (the encrypted portion) will be missing.
You can try to find a copy of an original file that was encrypted:
- Files you downloaded from the Internet that were encrypted, and you can download again to get the original.
- Pictures that you shared with family and friends that they can send back to you.
- Photos that you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc.)
- Attachments in emails you sent or received and saved.
- Files on an older computer, flash drive, external drive, camera memory card, or iPhone where you transferred data to the infected computer.
If not, you can try to restore files through the system function – Restore Point.
Also, try removing the ransomware extension on a few BIG files and opening them. The STOP/Djvu ransomware read and did not encrypt the file or bugged and did not add the FileMaker. If your files are huge (2GB+), the latter is most likely.
How to decrypt DJVU Ransomware files? Emsisoft Decryptor
Name: Emsisoft Decryptor
Description: The STOP Djvu ransomware encrypts victim's files with Salsa20, and appends one of dozens of extensions to filenames. For all versions of STOP Djvu, files can be successfully decrypted if they were encrypted by an offline key. Unfortunately, this tool will not work for every victim as it can only recover files encrypted by 148 of the 160 variants. This will enable approximately 70% of victims to recover their data. For people affected by the remaining 12 variants, no solution currently exists and we are unable to offer further assistance at this point in time. For that those who find themselves in this position archive the encrypted data in case a solution becomes available in the future.
Offer price: 0.0
Operating System: Windows
Application Category: System Tools
User Review( votes)