The sole aim of RIGJ ransomware virus is to lock your files using a technology that’s typically used to secure information transmission. The cybercriminals put it to bad use and therefore encrypt your files illegally, harassing you to keep your files encrypted forever if you refuse to pay up. In addition, they introduce the pricing of RIGJ decryption tool. The price of it, according to _readme.txt contents, ranges between $490 and $980. If the victim writes to the attackers via given emails (manager@mailtemp.ch or helprestoremanager@airmail.cc) and settles an agreement within 72 hours, the price of the decryption will be lower, otherwise the victim needs to pay full price. The criminals also recommend sending one encrypted file to them to get it decrypted for free. Unfortunately, they may refuse to decrypt it if they discover that it contains valuable information. The point fo the test decryption isn’t to restore valuable information to you – it is simply used to encourage you to pay a ransom after proving that the offenders actually can restore your data. If your files were encrypted, you should know that decryption of files affected by STOP/DJVU is only possible under certain circumstances. You can learn more about it in this guide here. Let us draw your attention to the fact that cybersecurity experts as well as FBI advise against ransom payments. First of all, paying doesn’t guarantee data recovery – it is the most important argument. Second, paying means funding further illegal operations and helping criminals to employ more people. Third reason is that criminals already make millions from extorting computer users yearly, which lures even non-skilled people to join these operations. Finally, we do not recommend paying the ransom because this ransomware also compromises your computer with AZORULT or VIDAR Trojan, malware that is capable of stealing various private details that can be used to blackmail and extort you further. If you have unfortunately fallen victim to a ransomware attack, removing the threats from your computer is a matter of an utmost importance. When it comes to severe threats like this, our experts recommend booting the system in Safe Mode with Networking as explained in the guide below. To remove RIGJ ransomware virus securely, make use of a robust antivirus software of your choice. Our team of experts recommend using one with excellent malware detection rate and real-time protection, for instance, . As an additional measure, you may want to download to repair virus damage to Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution scheme explained

Ransomware-type viruses are distributed either as malicious email attachments, hidden in illegal downloads (mostly torrents), fake software updates, with the help of exploit kits or compromised ad networks. In the vast majority of cases, ransomware threats designed to infect home computer users use rather primitive and only rely on malicious torrents and email spam. We will discuss these methods used to infect computers with crypto-viruses and explain how to avoid getting infected in the future. One of the most common places to find malicious downloads that may carry ransomware infections is online torrent libraries. People often visit these websites when searching for popular software or game cracks, hoping to install and activate premium versions for free. Often times, such computer users go as far as downloading cracks from several websites and launching both just to see which one works – moreover, they tend to ignore their antivirus warnings if any arise. There is a popular misconception that all software cracks get marked as malicious by antivirus although they’re not. Believe us when we say it is better to stay on the safe side and avoid opening a file if it gets marked as dangerous. Victim’s of previous STOP/DJVU ransomware versions report getting infected after opening torrents supposed to provide full versions of these software and games:

Adobe Photoshop;Adobe Illustrator;Corel Draw;Cubase;Opera Browser;Tenorshare 4ukey;Fifa20;AutoCad;League of Legends;KMSPico;Internet Download Manager;VMWare Workstation.

Remember that this isn’t a complete list and attempts to download any software illegally can land you a ransomware infection instantly. Moreover, trying to access pirated software version is simply an act of copyright infringement. Let us remind you that this whole process of finding a functional pirated copy of software and risks associated with it are simply not worth it because a legitimate software license rarely costs more than insane amounts of money demanded by cybercriminals and other damage they may inflict after stealing your private data. For this reason, we suggest that you support software developers and get secure copy of computer programs. Aside from this methodology, cybercriminals also try to attack potential victims via email. They compose emails and attach files to them, then distribute these messages to thousands of users. Often times, offenders pretend to be someone the victim knows, for example, an international company, a boss, colleague, local law enforcement agent or similar. The email often suggests viewing attached contents and replying to the sender as quickly as possible. One detail that is similar in all of these malicious emails is that you can sense the sender’s urgent tone. Another thing to look out for is unfamiliar greeting line. Moreover, you should not let the sender’s email address convince you because nowadays cybercriminals often make use of email spoofing techniques. Our general advice is to ask yourself whether you were waiting for an email of such kind at all. Do not let your curiosity trick you into opening something that you shouldn’t. In certain scenarios, cybercriminals compromise legitimate ad networks and inject malicious script into them. This results in malicious ads being displayed for regular computer users when they visit websites serving ads from that particular ad network. If they happen to click on the advertisement, they get redirected to malicious domains instantly or get a file downloaded to their computers. Last but not least, we’d like to mention deceptive STOP/DJVU decryption tools advertised by cybercriminals from other ransomware gangs. Be careful when searching for a solution online because one might simply not exist yet as explained here. To illustrate, ZORAB ransomware operators are spreading fake STOP/DJVU decryption tools claiming they are capable of decrypting files encrypted with online key. Once the potential victim opens such “decryption tool”, their files get double encrypted.

More details about the ransomware operation

If you’re looking to get more details on how this ransomware operates, this section is for you. RIGJ ransomware virus binary begins the attack by downloading build.exe, build2.exe and build3.exe executables from its server. The virus then takes a screenshot of victim’s desktop and sends it to its Command&Control server along with other information collected about the computer. The virus sends a GET request to https[:]//api.2ip.ua/geo.json to extract information about victim’s computer’s geolocation. The response from the domain is then saved to geo[1].json file as depicted below. The following file contains victim’s country code, zip code, longitude and latitude information and more. Additionally, the virus collects data about victim’s computer hardware, active processes and installed software, saves it to information.txt file and sends it to its Command&Control server. The virus then compares the extracted country code to its own list of exception countries and in case a match is found, the ransomware terminates itself. The following list of countries are exempted from encryption procedure: Russian Federation, Uzbekistan, Kyrgyzstan, Armenia, Syria, Tajikistan, Belarus and Kazachstan. If the ransomware finds out that the computer can be attacked, it then gets a unique encryption key from its C2 server. If this operation fails due to connectivity error, the malware uses a hardcoded key, also known as the offline encryption key instead. An indicator of this encryption type is t1 symbols at the end of personal ID in file C:\SystemID\PersonalID.txt. Offline encryption is a better thing for the victim since it gives hope to decrypt .rigj files in the future (see more information here). If your personal ID ends in different set of characters, it means that online encryption was used. The virus also writes both the encryption key and unique ID to bowsakkdestx.txt file as well as shown in the image below. Once the ransomware prepares for the actual encryption procedure, it then begins scanning every data folder and using Salsa20+RSA-2048 encryption type on the files. During the encryption phase, the ransomware also marks each file with .rigj extension and leaves _readme.txt notes behind. You can see a screenshot of compromised data folder down below. Check the contents of _readme.txt note as shown in the image below. Next thing done by this virus is elimination of Volume Shadow Copies. The malware achieves it by running the following command via CMD prompt: vssadmin.exe Delete Shadows /All /Quiet. Some variants of STOP/DJVU also have a tendency to modify Windows HOSTS file by adding a domain list to it. The virus connects these domains to a localhost IP only to cause a DNS resolution error for the victim. In such case, the victim might notice DNS_PROBE_FINISHED_NXDOMAIN error in Google Chrome or another browser. The discussed ransomware also drags information-stealing Trojans to the system. Some of the Trojans seen in these attacks are called AZORULT or VIDAR and are capable of stealing Skype chat history, browser history, login credentials for application accounts, browser-saved passwords, banking details and other sensitive data.

Remove RIGJ Ransomware Virus and Decrypt Your Files

If your computer was infected with malware and now all of your files are encrypted, do not hesitate and take the situation in your own hands. You should remove RIGJ ransomware virus as soon as possible, and what you need to do is to ensure that you have a robust antivirus software for this task (for example, , then run your PC in Safe Mode with Networking as explained below and set your antivirus to run a system scan (full). Afterward, you may want to download and scan with to repair virus damage on Windows OS files. Now that RIGJ virus removal is done, ensure that you let your local law enforcement agency know about the incident and change all of your passwords associated with the compromised computer as soon as you can. Moreover, check if you have data backups and ensure you use them only after removing the virus from the system completely. For additional help in repairing or decrypting files locked by STOP/DJVU, see this tutorial. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove RIGJ Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove RIGJ Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt RIGJ files

Fix and open large RIGJ files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. RIGJ Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt RIGJ files, follow the given tutorial.

Meanings of decryptor’s messages

The RIGJ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your RIGJ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of RIGJ Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.