Going deeper into _readme.txt ransom note contents, we can see that the cybercriminals reassure the victim that all files on the computer system were encrypted with the strongest algorithm. To specify, the encryption type used in STOP/DJVU attacks is Salsa20 + RSA-2048. The note suggests there is no solution other than paying a ransom to criminals, or files will remain unreadable for good. They suggest contacting victims interested in paying the ransom via two provided emails – support@sysmail.ch and supportsys@airmail.cc. On top of that, the ransom note suggests that the amount of money the victim needs to pay depends on how quickly the victim reaches out to the operators of this nascent malware. If this is done within 72 hours starting from the infection timestamp, the crooks promise a 50% discount on the initial price. This means that the criminals will accept $490 as a ransom, however, if the victim hesitates for any longer, the price will be set to $980. The criminals won’t accept any other transaction form other than one made using cryptocurrency (Bitcoin) for anonymity purposes. In attempt to convince the victim to pay up sooner, they even promise test decryption service on one encrypted file that doesn’t contain any valuable data. The note suggests attaching it alongside victim’s Personal ID when sending an email to the attackers. We do understand that encrypted data is extremely important to all victims, however, we must stress out that PAYING A RANSOM IS NOT A RECOMMENDED OPTION. Cybersecurity experts do not support paying ransoms, and the same mindset is backed up by the official FBI ransomware response recommendations. First of all, paying a ransom doesn’t guarantee data recovery in many cases, besides, sending money to cybercriminals simply helps them to push more malware, develop more sophisticated malware and attack more people. Finally, by paying, you will be identified as a victim who is willing to pay up and might be specifically targeted again. Data encryption isn’t the only damage inflicted by this ransomware variant. STOP/DJVU variants like SSOI virus are known to travel alongside RedLine, Vidar or Azorult information-stealing Trojans. These Trojans are capable of extracting your browser-saved login credentials, banking details, in-app login details, browsing history and other sensitive data and transferring them to cybercriminals’ servers. As a consequence, you might start getting blackmailed for more money or experience account theft or even financial losses. If you have recognized the malware that’s altered your files, we strongly recommend that you remove SSOI ransomware virus without a delay. The best approach to complex malware removal is booting your PC in Safe Mode with Networking and running a trustworthy antivirus solution from there. If you’re unsure which AV brand to use, we strongly recommend INTEGO Antivirus. For repairing virus-damaged Windows OS files, we recommend downloading RESTORO.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution techniques

Ransomware-type threats from STOP/DJVU cybercrime gang are known to be distributed via fake software cracks and other tools meant to activate premium software versions illegally. SSOI virus is no different and it preys for potential victims in various torrent listings as well as in rogue websites offering password-protected archives that are supposed to launch a setup for popular software activation. Victims infected by malware from this ransomware group claim to be infected from rogue downloads that promised activation of these popular programs:

KMSPico (illegal Windows activation tool).Fifa 20;Tenorshare 4ukey;AutoCad;Opera browser;Corel Draw;Nero Burning ROM;Microsoft Visio PRO;VMware Workstation;Cubase;Adobe Illustrator;League of Legends;Internet Download Manager;Adobe Photoshop.

If you have the bad habit of searching for 100% working full versions of software online and try to bypass legitimate websites where you have to pay for the license key, you risk exposing your PC to severe threats. Most of these downloads are simply malware launchers that do not have a single file related to the software you’re looking to activate. Cybercriminals know that many users are trying to bypass license key fees, so they use popular software names as a clickbait so that the potential victims would download and run the malware themselves in hopes to install desired software for free. We strongly advise you to support legitimate software developers. Downloading illegal and pirated software versions is a copyright infringement, not to mention the cybersecurity dangers behind this. Believe us when we say that legitimate software copies cost way less than tools required to repair malware-inflicted damage on your computer and your private data. Another common way to distribute malware is closely tied to email spam. Scammers tend to send mass emails using publicly available (such as made available via data leaks) email listings and they often try to impersonate a well-known company or someone you know (such as your colleague or a boss). Such deceptive emails typically urge the user to open email attachments that are usually named as documents used in daily communications (Invoice, Waybill, Order Summary, Missing/Pending Payment, etc). To appear more trustworthy, they may even spoof their original email address. In order to avoid getting infected, we strongly recommend you to inspect the email you received and if you have the slightest suspicion about its origins, do not click on inserted URLs and do not open its attachments. Look out for unfamiliar greeting line and typo mistakes in the message body. Finally, victims of this ransomware should be careful when searching for decryption tools online. At the moment, there are only two tools capable of decrypting/repairing STOP/DJVU-infected files (by Emsisoft and DiskTuna), and their functionality has certain limitations. Beware of fake STOP/DJVU decryption tools distributed online which hide malware inside of them. Moreover, watch out for scammers advertising fake “hacker” profiles on Instagram or WhatsApp that promise they can decrypt your files. All they can do is steal your money and vanish.

How this ransomware operates: a detailed overview

For those curious what SSOI ransomware virus does after breaking into the target system, we have provided a simplified overview of its modus operandi. The main ransomware executable is usually named by 4 random characters, for example, 5GB4.exe or 12J6.exe. The malware also downloads additional processes – build.exe and build2.exe from its server. In some cases, it may launch a fake Windows update screen (winupdate.exe) to trick the victim into thinking there are some operating system updates being downloaded and installed. Before starting data encryption, this ransomware collects some information about the compromised computer system. First of all, it connects to https[:]//api.2ip.ua/geo.json which triggers a geo.json file download. This file contains geolocation-related data about the computer and describes PC’s IP address, country, city, zip code, timezone, longitude and latitude and more. You can see a couple of geo.json examples in the image down below. The virus also creates a file named information.txt which has a list of PC’s hardware specs, installed software and active processes. The virus additionally takes a screenshot of desktop and sends collected data to its Command&Control (C&C) server. Shown below is a screenshot of information.txt. Before encrypting the data, the virus performs a check to see if the files on the system can actually be encrypted. The thing is, operators of STOP/DJVU tend to avoid encrypting files in computers located in these countries: Ukraine, Russian Federation, Syria, Armenia, Tajikistan, Kazachstan, Kyrgyzstan, Belarus, and Uzbekistan. If any of the countries are detected as the compromised PC’s location, the ransomware stops itself. However, if that’s not the case, it proceeds and attempts to retrieve a unique encryption key and victim’s ID from the C&C server. The key and ID will be saved into file called bowsakkdestx.txt, while the ID will be saved into PersonalID.txt file. Both files are shown in the screenshow presented below. An interesting observation about the SSOI ransomware functionality is that it has two encryption modes, often referred to as online or offline encryption. With online encryption type, the virus successfully generates unique encryption key and ID for the victim, which hardens the chances to recover encrypted data. However, in cases where the virus fails to fetch a unique encryption key from its server, it uses a hardcoded offline encryption key instead. Victims affected by offline encryption will typically notice t1 characters at the end of their PersonalID and this also increases the chances to restore files in the future. You can learn more about this in this guide explaining possibilities to decrypt/repair STOP/DJVU encrypted data. After deciding on encryption type, the ransomware begins data encryption. It scans all computer folders and encrypts each file with Salsa20 algorithm, then additionally securing it with the RSA-2048 key. As mentioned previously, the ransomware marks affected files with additional extension to make locked data distinguishable. The screenshot below showcases how a folder affected by this virus looks like. Shown below is the latest version of _readme.txt note. Lastly, the ransomware modifies Windows HOSTS file by mapping a list of domains to localhost IP. This way, the virus blocks access to various cybersecurity blogs and sites publishing information about ransomware attacks and recommended response. If the victim attempts to open one of the blacklisted websites via web search results or directly, errors similar to DNS_PROBE_FINISHED_NXDOMAIN will appear in web browser.

Remove SSOI Ransomware Virus and Decrypt Your Files

The most important thing to do when your PC gets compromised by this malware is to remove SSOI ransomware virus remains and other malware it possibly dragged into your computer. Without a doubt, the best way to cleanse the computer system is to run an up-to-date antivirus solution, but we strongly recommend that you boot your PC in Safe Mode with Networking first. This helps to deactivate malicious processes which may attempt to interfere with security software. You can find a tutorial on how to do it below. Our team trusts and recommends INTEGO Antivirus for malware removal. Another good tool when dealing with ransomware can be downloaded here – RESTORO. In our opinion, it is really helpful when it comes to repairing Windows OS files damaged by computer malware. Other recommendations by our team of security experts include:

Do not forget to report cybercrime incident to local law enforcement agency.Use data backups to recover as many files as possible.Learn possible ways STOP/DJVU-encrypted files could be repaired.Change all passwords used on the infected computer.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove SSOI Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove SSOI Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt SSOI files

Fix and open large SSOI files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. SSOI Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt SSOI files, follow the given tutorial.

Meanings of decryptor’s messages

The SSOI decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your SSOI extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of SSOI Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.