Some STOP/DJVU ransomware victims can decrypt or repair encrypted files: here’s howDJVU versions that can be decrypted (offline encryption) – UPDATED LISTSTOP/DJVU ransomware variants and chances to recover dataHow to check if online or offline key was used in encryptionDecrypt Files Locked by STOP/DJVU RansomwareMethod 1. Decrypt Files Locked With OFFLINE KeyMethod 2. Decrypt Files Encrypted with ONLINE KEYMethod 3. Decrypt .puma, .pumas, .pumax, .INFOWAIT, .DATAWAIT filesBONUS: REPAIR files encrypted by STOP/DJVURepair audio/video files using Media_Repair by DiskTuna
The STOP/DJVU decryptor is an file decryption tool created by Emsisoft and Michael Gillespie and published on October 18, 2019. The tool was initially developed by creating a side-channel attack on ransomware’s keystream. The tool can help victims recover their files without paying a ransom to the cyber criminals. Furthermore, this decryptor is continuously updated and may be able to decrypt files affected by offline key encryption, but only if victims who have paid the ransom and successfully received the decryption key choose to share it with Emsisoft. When it comes to offline key encryption, all victims of one specific STOP/DJVU variant can decrypt their files with the same decryption key. However, this does not apply to online key victims of the same ransomware variant. The cybersecurity company does not announce when such keys are retrieved due to victim confidentiality. Victims are advised to download the tool and test if the files can be decrypted. In addition, there is a trustworthy tool that can help you repair specific file types. Media_Repair (released by DiskTuna) is a tool intended to repair audio/videos files. We strongly recommend trying this tool in case STOP/DJVU decryptor cannot help you. This audio/video file recovery tool can also be used no matter which encryption type was applied on your files. The guide below will explain how to use it to recover part of your data. The STOP/DJVU ransomware is mostly distributed using malicious keygens, software cracks and tools like KMSPico. The malicious payload was strategically hidden in these popular, yet illegal files used to activate paid software for free. Our analysis shows that the malicious files that dropped the ransomware also contained additional malware, namely Vidar, Azorult and RedLine stealers. In 2019, Emsisoft has released STOP/DJVU decryptor, and at the time, Emsisoft claimed that it was capable of restoring data for about 70% of all victims. Unfortunately, 12 versions of the ransomware were the “improved” ones and these couldn’t be fully recovered. It appears that the tougher ransomware versions started emerging around August 2019. DJVU ransomware victims should be aware that the virus’ versions based on their extensions are categorized into Puma, Uppercase, old and new variants (see detailed description below). It’s been a while and all the current versions can be decrypted ONLY if offline encryption was used. Additionally, despite online or offline encryption used, you can repair certain file types using DiskTuna’s tool Media_Repair (find the usage guide below). UPDATE 2022, October 25th. The latest STOP ransomware versions and possibility to recover files based on the key type are listed below. Versions with retrieved offline keys are also included.
DJVU versions that can be decrypted (offline encryption) – UPDATED LIST
Currently, Emsisoft Decryptor for STOP DJVU database includes decryption keys for the following ransomware variants (only for offline key encryption victims – see how to determine what encryption type was used on your files). Here is the updated extension list: .gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .peet, .mbed, .kodg, .zobm, .msop, .hets, .mkos, .nbes, .reha, .topi, .repp, .alka, .nppp, .npsk, .opqz, .mado, .covm, .usam, .vawe, .maas, .nile, .geno, .omfl, .sspq, .iqll, .ddsg, .wiot Please be patient because offline keys for the latest 2022/2023 versions – POUU, POQW, ZOUU, ZOQW, BPTO, BPWS, BPSM, ZNTO, ZNSM, ISAL, ISWR, ISZA, MANW, BTTU, BTOS, BTNW, MAOS, MATU, MPPN, MBTF, UYIT, UYRO, KCBU, KCVP, TCVP, TCBU, FATE, FATP, ZATP, ZATE, BOWD, POZQ, BOZQ, POWD, NUIS, NURY, TURY, TUIS, POHJ, POWZ, TOWZ, TOHJ, ADLG, ADWW, OFWW, OFLG, OFOQ, AAWT, AAMV, AABN, AAYU, EEYU, EEMV, EEWT, EEBN, MMDT, MMVB, MMPU, OOPU, OODT, OOVB, QQKK, QQPP, QQJJ, QQRI, QQLC, QQLO, QQMT, CCZA, CCEO, CCEW, CCYU, VVYU, VVEW, VVWQ, VVEO, HHYU, OOXA, OORI, GGEO, GGWQ, GGEW, HHEO, HHWQ, HHEW, JJWW, JJYY, GHSD, DKRF, EIUR, LLQQ, LLEE, LLTT, LLOO, EIJY, EFVC, HKGT, BBZZ, BBII, BBYY, EEFG, BNRS, RRYY, RRBB, RRCC, ZFDV, EWDF, UIHJ, ZPPS, QLLN, NNUZ, FEFG, FDCV, DFWE, ERRZ, IFLA, BYYA, KRUU, SIJR, BBNM, EGFG, XCVF, MINE, HHJK, TTII, MMOB, JHGN, JHBG, DEWD, JHDD, DMAY, MSJD, NUHB, YGVB, DWQS, QPSS, HAJD, QALL, GHAS, UYJH, TUID, UDLA, GTYS, MPAG, VOOM, KXDE, WDLO, PPHG, RGUY, SSOI, KKIA, HFGD, MMUZ, RGUY, UIGD, EYRV, VLFF, BPQD, XCBG, KQGQ, VTYM, QBAA, FOPA, VYIA, IIOF, SDJM, FGNH, FGUI, JJTT, RTGF, OOII, GCYI, EUCY, CKAE, QNTY, CCPS, IIPS, AVYU, CUAG, BBBE, BBBR, QQQR, MAIV, BBBW, YOQS, QQQE, QQQW, MAAK, FHKF, VFGJ, YBER, ZAQI, NQHD, VGKF, DEHD, LOOV, MIIA, SBPG, XCMB, NNQP, HUDF, SHGV, YJQS, MLJX, YQAL, MOIA, ROBM, RIGJ, PQGS, IISA, FUTM, QMAK, QDLA, STAX, IRFK, PALQ, COOL, RIVD, RUGJ, ZAPS, MAQL, VTUA, IRJG, NQSQ, TISC, RIGD, KOOM, EFDC, LQQW, IWAN, ORKF, HOOP, REQG, MUUQ, NOOA, GUER, AEUR, HHQA, MOQS, UFWJ, GUJD, WWKA, ZZLA, LSSR, POOE, ZQQW, MIIS, NEER, LEEX, PIIQ, QSCX, MPPQ, PAHD, PAAS, EHIZ, NUSM, IGVM, PCQQ, REJG, WRUI, LMAS, URNB, FDCZ, YTBN, EKVF, ENFP, TIRP, REIG, RIBD, CADQ, YGKZ, PLAM, .COSD, POLA, WBXD, COOS, QLKM, ATEK, IGAL, BOOA, IGDM, NOBU, WEUI, LISP, SGLH, EPOR, VVOA, AGHO, VPSH, JDYI, IISS, NYPG, EFJI, MMPA, FOQE, MOSS, LYLI, COPA, KOLZ, NPPH, OGDO, KASP, NORD, BOOP, VARI, OONN, KOOK, ERIF, KUUS, REPL, ZIDA, MOBA, PYKW, TABE, NYPD, ZWER, KKLL, NLAH, ZIPE, PEZI, KOTI, MZLQ, SQPC, MPAL, QEWE, LEZP, LALO, MPAJ, JOPE, OPQZ, REMK, FOOP, LOKD, REZM, MOOL, OOSS, MMNN, ROOE, BBOO, BTOS, NPSG, NOSU, KODC, LLOO, LLTT, LLEE ransomware versions may not be uploaded to the Emsisoft’s server yet. For these versions, the tool may be capable to decrypt files locked by OFFLINE key only (if Emsisoft’s server contains the key for the variant that affected your files). Keep in mind that these decryption keys may take a while to emerge, so the very last versions such as .pouu or .poqw might not be decryptable at the moment. IMPORTANT. Due to victim confidentiality, Emsisoft no longer announces when new offline keys are uploaded to their server, so in order to find out whether your files can be decrypted, you need to download Emsisoft Decryptor and run a scan with it. Please note that you must remove DJVU ransomware virus remains before you try to recover your files. We strongly recommend using a robust antivirus like INTEGO Antivirus for this task. In addition, we strongly recommend scanning with RESTORO to repair virus damage on Windows OS files. Before you proceed into the article, check the list of supported extensions to determine whether you can decrypt STOP DJVU files. Award-winning antivirus solution for your PC. Robust security software that provides robust 24/7 real-time protection, Web Shield that stops online threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Keep your PC safe and protected against ransomware, Trojans, viruses, spyware and other forms of dangerous programs. Please remember that some versions can be decrypted only if offline key was used. If your files were affected with online key and the decryption is impossible, you will see the following message: No key for New Variant. Before we dive into the solutions on how to decrypt your files, we suggest overviewing STOP/DJVU variants and the chances on recovering your files so that you would know what to expect and which tools to use.
STOP/DJVU ransomware variants and chances to recover data
STOP/DJVU versions are generally categorized into 4 types and each of them have different level of decryptability.
Puma variants (.puma, .pumax, pumas). All versions can be decrypted after providing one encrypted/original file pair exceeding 150KB in size. Victims should use STOP Puma decryptor as explained in method 3. Uppercase variants (.INFOWAIT, .DATAWAIT, .KEYPASS and others). For these variants, only some of them can be decrypted, again using STOP Puma decryptor given that a pair of encrypted/original file pair exeeding 150KB is provided. See method 3 for instructions. Old variants (.djvu, .djvuu, .udjvu, .uudjvu, .djvuq and others). These variants are known to increase encrypted file size by 78 bytes. Files with all known extensions of these old STOP/DJVU can be decrypted using STOP/DJVU Decryptor in these cases: if offline encryption was used and if the victim can provide some encrypted/original file pairs exceeding 150KB in size. Offline encryption victims should see Method 1: Decrypt files locked with OFFLINE Key section and those affected by online encryption should refer to Method 2: Decrypt files encrypted with ONLINE Key section. New variants (.poqw, .pouu, .bnto, zoqw and others). All ransomware variants that started emerging in August 2019 and continue to appear nowadays. The encrypted files usually appear to be 334 bytes larger once encrypted. These versions can only be decrypted if offline encryption was used, so in such case, you should refer to Method 1: Decrypt files locked with OFFLINE Key section.
Before you explore methods to decrypt your files, you need to determine whether online or offline key was used to lock your files.
How to check if online or offline key was used in encryption
The updated ransomware encrypts files using online keys (different for each victim) if it manages to connect to its Command & Control Server during the attack. Otherwise, it uses an offline key, which is the same one for all victims of one ransomware variant (with the same extension). If an offline key was used, you have chances to restore data now or in the near future. Unfortunately, we cannot say the same about victims affected by the online keys. To determine what keys were used, follow these steps. Another simple method to determine what encryption type was used by ransomware on your computer is to simply run Emsisoft’s STOP/DJVU Decryptor.
Decrypt Files Locked by STOP/DJVU Ransomware
See the guide below on how to decrypt DJVU files using the decrypted by Emsisoft. This guide explains how to decrypt files locked by OFFLINE and ONLINE keys. Please check the next part of the tutorial if you’re infected with .puma, .pumax or .pumas variant.
Method 1. Decrypt Files Locked With OFFLINE Key
The guide described below helps to decrypt files locked with OFFLINE key for all DJVU ransomware versions created prior to August 2019. Victims of these versions received ransom notes called _readme.txt with such contents. Please note that new versions like .nypd or .zwer use new contact emails: helpmanager@mail.ch or restoreadmin@firemail.cc. ATTENTION!Don’t worry, you can return all your files!All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:[removed link]Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that’s price for you is $490.Please note that you’ll never restore your data without payment.Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:gorentos@bitmessage.chReserve e-mail address to contact us:gerentoshelp@firemail.ccYour personal ID:9315hTlGeRsMht5nsgsaoejm4RWx1y69zcacA5hSp3l60BnY8f3qasd3SGd8723bqD7SH8JmYm298WxkjhasiuSDFS35Qaidkhantjt1 If you were attacked with both ONLINE and OFFLINE keys, complete these steps and proceed to the next part of the tutorial.
Method 2. Decrypt Files Encrypted with ONLINE KEY
This method works for old STOP/DJVU versions and requires collecting encrypted/original file samples for each data format you’re trying to recover. The decryptable ransomware variants based on extensions used are listed below.
Known decryptable DJVU virus extensions list (using file pairs method)
.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote There are three requirements for file pairs:
Must be at least 150Kb in size; Must be the same file that was encrypted; To decrypt different file types, you need file pairs for them, for example, .jpg, .doc, .mp3, etc.
How to find data pairs
An easy way to find some pairs is to check encrypted files in your downloads and trace the source where you downloaded them from. For instance, if you have downloaded some files from email or specific website recently, you can download a copy from email and check for encrypted version in your downloads. Your downloads are likely to contain various file types that you have downloaded from the Internet. Try to remember exactly where you got them from so that you could download them again and have data pairs for as many different file extensions as possible. For example, you need image.jpg to pair with image.jpg.reco, video.mp4 to pair with video.mp3.reco, and so on. As soon as you have some pairs of encrypted and original files, follow the steps below to decrypt files locked by STOP/DJVU ransomware.
Method 3. Decrypt .puma, .pumas, .pumax, .INFOWAIT, .DATAWAIT files
Victims whose files were infected with .puma, .pumax, .pumas, .INFOWAIT and .DATAWAIT ransomware versions can use STOP Puma decrypter to recover their files. Victims of this ransomware variants received ransom notes called !readme.txt with such contents: ================ !ATTENTION PLEASE! ================ Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail pumarestore@india.com send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Discount 50% avaliable if you contact us first 72 hours. ========================================= E-mail address to contact us: pumarestore@india.com Reserve e-mail address to contact us: BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch Your personal id: 3346se9RaIxXF9m45nsmx7nL3bVudn91w4SNY8URDVa To Decrypt files locked by STOP/DJVU Puma variants, follow these instructions:
BONUS: REPAIR files encrypted by STOP/DJVU
Repair audio/video files using Media_Repair by DiskTuna
Media_Repair by DiskTuna is a free and secure tool that can help to repair a limited range of encrypted files. Since DJVU ransomware encrypts only 150kb of the files, Media_Repair attempts to fix them by making the non-encrypted part of the file playable again. The tool isn’t meant to decrypt the files. Currently, the software is capable of repairing file types listed below. Please pay attention that for formats marked with *, a reference file is required.
WAV*; MP3; MP4*; M4V*; MOV*; 3GP*.
Just like Emsisoft’s tool, Media_Repair requires a reference file, in other words, a full, unaffected example file created on the same device or with the same software. That said, if you had videos encrypted that were shot with your camera, you should use the same settings used to create that video to create a reference video file for file repair. Same example goes with video editing software – try to duplicate video settings used to create a specific video you had encrypted. Please be aware that the tool won’t be capable of fixing absolutely all kinds of files. For example, videos optimized for online streaming (fast start), can’t be repaired at the moment. The tool is also known to fail with large files, although this issue is likely to be fixed in future updates. Media_Repair was made available thanks to researchers Nguyễn Vũ Hà and Joep van Steen.
How to use Media_Repair to fix encrypted files
Please follow the given steps carefully to attempt encrypted file repair using Media_Repair.
Important things to know about the repair tool:
You must have a reference file. If you do not have it or can create it, no one else can make it for you. If you do not know the settings used to create the encrypted file, unfortunately, no one else will. Try experimenting and creating different reference files, then try the repair tool again. More supported file formats might be available in the future, although this is not promised. Please remember that the tool repairs the files, but doesn’t decrypt them. Some information loss might be expected; It doesn’t matter whether online or offline encryption was used by the ransomware, you can try the tool on the listed file formats. For more information about Media_Repair, please visit its developer’s website.
We hope that you found this tutorial helpful and you managed to decrypt files infected by DJVU ransomware successfully. We strongly recommend you to read ransomware prevention tips to avoid similar malware attacks in the future.