The Werz virus, which belongs to the STOP/DJVU family of ransomware-type infections, encrypts your files (videos, photos, documents) with a specific “.werz” extension. It uses a strong encryption method that makes the key inaccessible through any means.
Werz uses a unique key for each victim, with one exception:
- If Werz fails to connect to its command and control server (C&C Server) before starting the encryption process, it uses the offline key. This key remains the same for all victims, allowing the decryption of files encrypted during a ransomware attack.
I have created a comprehensive collection of all possible solutions, tips, and best practices for eliminating the Werz virus and decrypting files. In some cases, file recovery can be simple, while in others, it may be challenging to overcome.
Below, I will demonstrate several methods that can be universally applied to recover .werz files that have been encrypted. It is essential to carefully read all instructions and fully understand them. Make sure to follow each step diligently as every step is crucial and requires your completion.
The Werz Virus
βοΈ Identifying Werz as a STOP/DJVU Ransomware Infection
The Werz Virus
π€ The Werz virus is a ransomware belonging to the DJVU/STOP family. Its primary objective is to encrypt vital files, subsequently demanding a ransom payment in Bitcoin from its victims.
The Werz virus is a specific variant of malware that encrypts your files and coerces you into paying for their release. It is important to note that the Djvu/STOP ransomware family was first unveiled and analyzed by virus analyst Michael Gillespie.
The Werz virus bears similarities to other DJVU ransomware strains such as Vatq, Vapo, and Vaze. This malicious software encrypts popular file types and appends the “.werz” extension to all affected files. For instance, a file named “1.jpg” would be transformed into “1.jpg.werz“. Once the encryption process is completed successfully, the virus generates a special text file named “_readme.txt” and deposits it in all folders containing the encrypted files.
The image below provides a visual representation of files encrypted with the “.werz” extension:
_readme.txt (STOP/DJVU Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded data contains these frustrating warnings
The Werz ransomware carries out multiple processes to perform various tasks on the victim’s computer. One of the initial processes it executes is winupdate.exe, which disguises itself as a fake Windows update prompt during the attack. Its intention is to deceive the victim into thinking that a sudden system slowdown is caused by a Windows update. Simultaneously, the ransomware launches another process (usually named with four random characters) responsible for scanning the system and encrypting targeted files. Additionally, the ransomware runs the following CMD command to delete Volume Shadow Copies from the system:
vssadmin.exe Delete Shadows /All /Quiet
Once deleted, it becomes impossible to restore the computer to its previous state using System Restore Points. The ransomware operators eliminate any Windows OS-based methods that could assist victims in recovering their files for free. Furthermore, the attackers modify the Windows HOSTS file by appending a list of domains and mapping them to the localhost IP. As a result, when attempting to access any of the blocked websites, the victim encounters a DNS_PROBE_FINISHED_NXDOMAIN error.
We have discovered that the ransomware attempts to block websites that offer various how-to guides for computer users. By restricting specific domains, the criminals aim to hinder victims from accessing relevant and helpful information about ransomware attacks. The virus also generates two text files on the victim’s computer, which contain details related to the attack: the victim’s public encryption key and personal ID. These files are named bowsakkdestx.txt and PersonalID.txt.
After implementing the mentioned modifications, the malware continues its operations. Variants of the STOP/DJVU ransomware often utilize trojans that steal passwords, such as Vidar Stealer or RedLine Stealer. These threats possess a wide range of capabilities, including:
- Stealing login credentials for platforms like Steam, Telegram, Skype, and others.
- Stealing cryptocurrency wallets.
- Downloading and executing malware on the infected computer.
- Extracting browser cookies, saved passwords, browsing history, and other sensitive information.
- Accessing and manipulating files on the victim’s computer.
- Enabling remote control of the victim’s computer, allowing hackers to perform various tasks.
The DJVU/STOP virus employs the AES-256 cryptography algorithm. Therefore, if your files have been encrypted with a unique online decryption key, it becomes impossible to decrypt them without that specific key.
If Werz operates in online mode, it is not possible for you to obtain the AES-256 key as it is stored on a remote server controlled by the malicious actors behind the Werz virus.
To obtain the decryption key, a payment of $980 is required. The victims are instructed to contact the fraudsters via email ([email protected]) to receive payment details.
The message by the ransomware states the following information:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WJa63R98Ku Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Do not pay for Werz!
Please, try to use the available backups, or Decrypter tool
The _readme.txt file also states that computer owners must contact representatives of Werz within 72 hours from the time their files were encrypted. By doing so within the specified timeframe, users are promised a 50% discount, reducing the ransom amount to $490. However, I strongly advise against contacting these fraudsters and making any payments. One of the most effective solutions for recovering lost data is to utilize available backups or use a Decrypter tool.
It’s important to note that these types of viruses follow a similar pattern in generating unique decryption keys for data recovery. Unless the ransomware is still in the development stage or has significant flaws that can be exploited, manual recovery of encrypted data is not feasible. Regularly creating backups of your important files is the best way to prevent data loss.
Keep in mind that even if you maintain regular backups, they should be stored in a separate location and not connected to your main workstation. For example, you can store backups on a USB flash drive, an external hard drive, or utilize online/cloud storage services. Storing backups on your main device is not advisable as they can be susceptible to encryption, just like your other data.
How I was infected?
Ransomware has a various methods to built into your system. But it doesn’t really matter what concrete method was used in your case.
Werz virus attack following a successful phishing attempt.
However, there are common ways through which the Werz ransomware can infiltrate your PC:
- It can be hidden in the installation bundle of other applications, especially utilities offered as freeware or shareware.
- Deceptive links in spam emails can lead to the installation of the virus.
- Online free hosting resources can be exploited by the ransomware.
- Downloading pirated software from illegal peer-to-peer (P2P) sources can also expose you to the virus.
There have been instances where the Werz virus masquerades as a legitimate tool, such as messages that demand the initiation of unwanted software or browser updates. This is a tactic used by online fraudsters to manipulate you into manually installing the Werz ransomware, essentially tricking you into participating in the process.
Of course, the fake update alert will not explicitly indicate that you are installing ransomware. Instead, it will be disguised as an alert suggesting the need to update Adobe Flash Player or another suspicious program.
It’s important to note that using cracked apps poses a significant risk as well. Engaging in illegal peer-to-peer (P2P) activities not only violates copyright laws but also exposes you to serious malware, including the Werz ransomware.
To summarize, what can you do to avoid the infiltration of the Werz ransomware into your device? While there is no foolproof method to guarantee complete prevention, here are some tips to help you minimize the risk of Werz penetration. It is crucial to exercise caution when installing free software nowadays.
Always pay attention to what the installers offer in addition to the main free program. Avoid opening suspicious email attachments and refrain from opening files sent by unknown senders. Additionally, ensure that your security program is regularly updated.
The malware does not openly reveal itself. It will not be listed among your available programs. Instead, it will disguise itself as a malicious process running silently in the background from the moment you start your computer.
How To Remove Werz Virus?
In addition to encode a victim’s files, the Werz virus has also started to install the Azorult Spyware on system to steal account credentials, cryptocurrency wallets, desktop files, and more.1
Reasons why I would recommend GridinSoft2
There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft3.
-
Download Removal Tool.
You can download GridinSoft Anti-Malware by clicking the button below:
-
Run the setup file.
When setup file has finished downloading, double-click on the setup-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.
An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click βYesβ to continue with the installation.
-
Press “Install” button.
-
Once installed, Anti-Malware will automatically run.
-
Wait for complete.
GridinSoft Anti-Malware will automatically start scanning your PC for Werz infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.
-
Click on “Clean Now”.
When the scan has finished, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the βClean Nowβ button in right corner.
-
Trojan Killer for special instances
In some certain instances, Werz ransomware can block the running of setup files of different anti-malware programs. In this situation, you need to utilize the removable drive with a pre-installed antivirus tool.
There is a really little number of security tools that are able to be set up on the USB drives, and antiviruses that can do so in most cases require to obtain quite an expensive license. For this instance, I can recommend you to use another solution of GridinSoft – Trojan Killer Portable. It has a 14-days cost-free trial mode that offers the entire features of the paid version 4. This term will definitely be 100% enough to wipe malware out.
How To Decrypt .werz Files?
Restore solution for big “.werz files“
Try removing .werz extension on a few BIG files and opening them. Either the Werz virus read and did not encrypt the file, or it bugged and did not add the filemarker. If your files are very large (2GB+), the latter is most likely. Please, let me know in comments if that will work for you.
The newest extensions released around the end of August 2019 after the criminals made changes. This includes Gatq, Gaze, Gapo, etc.
As a result of the changes made by the criminals, STOPDecrypter is no longer supported. It has been removed and replaced with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft.
You can download free decryption tool here: Decryptor for STOP Djvu.
-
Download and run decryption tool.
Start downloading the decryption tool.
Make sure to launch the decryption utility as an administrator. You need to agree with the license terms that will come up. For this purpose, click on the “Yes” button:
As soon as you accept the license terms, the main decryptor user interface comes up:
-
Select folders for decryption.
By default, the decryptor will automatically detect and populate the available locations to decrypt the currently connected drives, including network drives. If desired, additional locations can be selected using the “Add” button.
Decryptors typically provide various options tailored to specific malware families. These options can be found in the Options tab and can be enabled or disabled as needed. Below is a detailed list of the currently active options:
-
Click on the “Decrypt” button.
Once you have added all the desired locations for decryption to the list, click on the “Decrypt” button to initiate the decryption procedure.
Please note that the main screen will display a status view, providing information about the active process and the decryption statistics of your data. You can refer to the following image:
The decryptor will notify you as soon as the decryption procedure is completed. If you need a report for your records, you can save it by clicking the “Save log” button. Alternatively, you can copy the report to your clipboard and paste it into emails or messages if needed.
The Emsisoft Decryptor might display different messages after a failed attempt to restore your werz files:
β Error: Unable to decrypt file with ID: [your ID]
β No key for New Variant online ID: [your ID]
Notice: this ID appears to be an online ID, decryption is impossible
β Result: No key for new variant offline ID: [example ID]
This ID appears be an offline ID. Decryption may be possible in the future.
It can take a few weeks or months until the decryption key gets found and uploaded to the decryptor. Please follow updates regarding the decryptable DJVU versions here.
β Remote name could not be resolved
How to Restore .werz Files?
In some case Werz ransomware is not doom for your files…
The Werz ransomware uses an encryption mechanism that involves encrypting each file byte-by-byte and then creating a copy of the file. The original file is deleted (without being overwritten) in the process. As a result, the file’s information and location on the physical disk are lost, but the original file is still present on the disk. Although the file is not listed by the file system, it may still reside in the cell or sector where it was stored. However, this space can be overwritten by new data loaded onto the disk after the deletion. Fortunately, it is possible to recover your files using specialized software.
Anyway, after realizing it was an online algorithm, it is impossible to retrieve my encrypted files. I also had my backup drive plugged in at the time of the virus, and this was also infected, or so I thought. Every folder within my backup drive had been infected and was encrypted. However, despite losing some important files, I retrieved almost 80% of my 2TB storage.
When I started going through the folders, I noticed the readme.txt ransom note in every folder. I opened some of the folders and found that all files that were not in a subfolder within that folder had been encrypted. However, I found a flaw and glimmer of hope when I went into the subfolders in other folders and found that these files had not been encrypted. Every folder within my c and d drives, including subfolders, had been encrypted, but this was not the case with the backup drive. Having subfolders created within a folder has saved 80% of my data.
As I said, I believe this to be only a small loophole on a backup drive. Iβve since found a further 10 % of my data on another hard drive on a different pc. So my advice is if you use a backup drive, create subfolders. I was lucky, I guess. But I was also unlucky that the virus hit as I was transferring some files from my backup.
Hopefully, this can help some other people in my situation.
Jamie NewlandRecovering your files with PhotoRec
PhotoRec is an open-source program originally designed for recovering files from damaged disks or for file recovery after deletion. Over time, the program has expanded its capabilities and can now recover files with over 400 different extensions. This makes it suitable for data recovery after a ransomware attack.
To begin, you need to download the application. It is completely free, but the developer does not guarantee successful file recovery. PhotoRec is bundled with another utility from the same developer called TestDisk. When you download the archive, it will be named TestDisk, but rest assured that PhotoRec files are inside.
To launch PhotoRec, locate and open the file named “qphotorec_win.exe”. No installation is required as the program contains all the necessary files within the archive. You can even run it from a USB drive to assist a friend, family member, or anyone affected by the DJVU/STOP ransomware.
After the launch, you will see the screen showing you the full list of your disk spaces. However, this information is likely useless, because the required menu is placed a bit higher. Click this bar, then choose the disk which was attacked by ransomware.
After choosing the disk, you need to choose the destination folder for the recovered files. This menu is located at the lower part of the PhotoRec window. The best desicion is to export them on USB drive or any other type of removable disk.
Then, you need to specify the file formats. This option is located at the bottom, too. As it was mentioned, PhotoRec can recover the files of about 400 different formats.
Finally, you can start files recovery by pressing the “Search” button. You will see the screen where the results of the scan and recovery are shown.
Werz files recovery guide
Frequently Asked Questions
No way. These files are modified by ransomware. The contents of .werz files are not available until they are decrypted.
If your data remained in the .werz files are very valuable, then most likely you made a backup copy.
If not, then you can try to restore them through the system function – Restore Point.
All other methods will require patience.
Of course not. Your encrypted files do not pose a threat to the computer. What happened has already happened.
You need GridinSoft Anti-Malware to remove active system infections. The virus that encrypted your files is most likely still active and periodically runs a test for the ability to encrypt even more files. Also, these viruses install keyloggers and backdoors for further malicious actions (for example, theft of passwords, credit cards) often.
In this situation, you need to prepare the memory stick with a pre-installed Trojan Killer.
Have patience. You are infected with the new version of STOP/DJVU ransomware, and decryption keys have not yet been released. Follow the news on our website.
We will keep you posted on when new Werz keys or new decryption programs appear.
The Werz ransomware encrypts only the first 150KB of files. So MP3 files are rather large, some media players (Winamp for example) may be able to play the files, but – the first 3-5 seconds (the encrypted portion) will be missing.
You can try to find a copy of an original file that was encrypted:
- Files you downloaded from the Internet that were encrypted and you can download again to get the original.
- Pictures that you shared with family and friends that they can just send back to you.
- Photos that you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc)
- Attachments in emails you sent or received and saved.
- Files on an older computer, flash drive, external drive, camera memory card, or iPhone where you transferred data to the infected computer.
To report the attack, you can contact local executive boards (A full list you can find here). For instance, if you live in USA, you can have a talk with FBI Local field office, IC3 or Secret Service.
Video Guide
How to use GridinSoft Anti-Malware for fix ransomware infections.
If the guide doesnβt help you to remove Werz virus, please download the GridinSoft Anti-Malware that I recommended. Do not forget to share your experience in solving the problem. Please leave a comment here! This can help other victims to understand they are not alone. And together we will find ways to deal with this issue.
I need your help to share this article.
It is your turn to help other people. I have written this guide to help users like you. You can use buttons below to share this on your favorite social media Facebook, Twitter, or Reddit.
Brendan SmithWERZ Ransomware β How To Restore & Decrypt Files?
Name: WERZ Virus
Description: WERZ Virus is a STOP/DJVU family of ransomware-type infections. This virus encrypts your files, video, photos, documents that can be tracked by a specific werz extension. So, you can't use them at all after that WERZ ransomware asks victims for a ransom fee ($490 - $980) in Bitcoin.
Operating System: Windows
Application Category: Virus
User Review
( votes)References
- Windows passwords vulnerability (Mimikatz HackTool): link
- GridinSoft Anti-Malware Review: link
- More information about GridinSoft products: https://gridinsoft.com/comparison
- Trojan Killer Review: https://howtofix.guide/trojan-killer/
German 
Japanese 
Spanish 
Portuguese (Brazil) 
French 
Turkish 
Chinese (Traditional) 
Korean 
Indonesian 
Hindi 
Italian