STOP DJVU Decryptor can help you to recover recently encrypted files
- STOP DJVU Decryptor can help you to recover recently encrypted files
- Decrypt Files Locked by STOP/DJVU Ransomware
STOP/DJVU Decryptor is a tool created by Emsisoft and Michael Gillespie and published on October 18, 2019. It is currently capable of decrypting 148 virus versions out of 160. The tool was developed by creating a side-channel attack on ransomware’s keystream. The tool can help victims recover their files without paying a ransom to the cyber criminals. The guide below will explain how to restore data using the said recover tool.
STOP ransomware is one of the most widespread crypto-malware variants of 2019 which reportedly has affected nearly half a million victims worldwide. The malicious virus was mostly distributed using malicious keygens, software cracks and tools like KMSPico. The malicious payload was strategically hidden in these popular, yet illegal files used to activate paid software for free.
According to Emsisoft, STOP DJVU Decryptor is capable of restoring data for about 70% of all victims. Unfortunately, 12 versions of the ransomware are the “improved” ones and these can’t be fully recovered at the moment. These emerged around August 2019.
UPDATE 2019, Nov 23rd. The most popular new STOP ransomware versions and possibility to recover files based on the key type are listed below.
|Extension||STOP Decrypter Support|
|KUUB||Decryptable (OFFLINE KEY)|
|RECO||Decryptable (OFFLINE KEY)|
|BORA||Decryptable (OFFLINE KEY)|
|NOLS||Decryptable (OFFLINE KEY)|
|WERD||Decryptable (OFFLINE KEY)|
|COOT||Decryptable (OFFLINE KEY)|
|DERP||Decryptable (OFFLINE KEY)|
|MEKA||Decryptable (OFFLINE KEY)|
|MOSK||Decryptable (OFFLINE KEY)|
|PEET||Decryptable (OFFLINE KEY)|
|MBED||Decryptable (OFFLINE KEY)|
|KODG||Decryptable (OFFLINE KEY)|
|GROD||Decryptable (OFFLINE KEY)|
|LOKF||Decryptable (OFFLINE KEY)|
|TOEC||Decryptable (OFFLINE KEY)|
|ZOBM||Decryptable (OFFLINE KEY)|
|MSOP||Decryptable (OFFLINE KEY)|
|HETS||Decryptable (OFFLINE KEY)|
Please be patient because offline keys for the latest version – TOPI, REHA, NOSU, KODC, as well as 2019 versions PINY, REDL, .NBES, .MKOS, MERL, GESD, RIGH, ROTE, NAKW, LETO, BOOT ransomware versions are not found yet.
For these versions, the tool can decrypt files locked by OFFLINE key only. Keep in mind that the offline key takes time to extract, to the very last versions such as .coot or .werd might not be decryptable at the moment.
Please note that you must remove DJVU ransomware virus before you try to recover your files.
Before you proceed into the article, check the list of supported extensions to determine whether you can decrypt STOP DJVU files.
How to check if online or offline key was used in encryption
If you have been attacked by this ransomware after August 2019, you need to determine whether online or offline key was used to lock your files.
The updated ransomware encrypts files using online keys (different for each victim) if it manages to connect to its Command & Control Server during the attack. Otherwise, it uses an offline key, which is the same one for all victims of one ransomware variant (with the same extension).
If an offline key was used, you have chances to restore data now or in the near future. Unfortunately, we cannot say the same about victims affected by the online keys.
To determine what keys were used, follow these steps.
- Go to C: disk and then open SystemID folder.
- Here, open PersonalID.txt file and look at the keys listed here.
- If ANY of them end with t1, it means you can recover at least part of the data using STOP Decryptor.
Decryptable DJVU virus extensions list
.peet, .mbed, .kodg, .zobm, .msop, .hets, .gero, .hese, .grod, .seto, .peta, .moka, .meds, .kvag, .domn, .nesa, .nols, .werd, .coot, .derp, .meka, .mosk, .bora, .reco, .kuub, noos, .karl, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .godes, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .rezuc, .stone, .skymap, .mogera, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .puma, .pumax, .pumas, .DATAWAIT, .INFOWAIT.
Decrypt Files Locked by STOP/DJVU Ransomware
See the guide below on how to decrypt DJVU files using the decrypted by Emsisoft. This guide explains how to decrypt files locked by OFFLINE and ONLINE keys. Please check the next part of the tutorial if you’re infected with .puma, .pumax or .pumas variant.
Method 1. Decrypt Files Locked With OFFLINE Key
The guide described below helps to decrypt files locked with OFFLINE key for all DJVU ransomware versions created prior to August 2019.
Victims of these versions received ransom notes called _readme.txt with such contents. Please note that new versions like .nakw or .derp use new contact emails: [email protected] or [email protected].
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
If you were attacked with both ONLINE and OFFLINE keys, complete these steps and proceed to the next part of the tutorial.
- Download STOP/DJVU Decryptor.
- Open the decryptor. You will have to click Yes in User Account Control window.
- Agree to License Terms by clicking Yes.
- Next, add locations to decrypt by clicking Add Folder and selecting locations from your computer. By default, C:\ partition is added.
- Click Decrypt to start decrypting your files.
Method 2. Decrypt Files Encrypted with ONLINE KEY
Before you can start to decrypt files locked by STOP/DJVU ransomware, you will need a pair of encrypted and unencrypted file copies for all file types you are willing to decrypt.
There are three requirements for file pairs:
- Must be at least 150Kb in size;
- Must be the same file that was encrypted;
- To decrypt different file types, you need file pairs for them, for example, .jpg, .doc, .mp3, etc.
How to find data pairs
An easy way to find some pairs is to check encrypted files in your downloads and trace the source where you downloaded them from. For instance, if you have downloaded some files from email or specific website recently, you can download a copy from email and check for encrypted version in your downloads.
Your downloads are likely to contain various file types that you have downloaded from the Internet. Try to remember exactly where you got them from so that you could download them again and have data pairs for as many different file extensions as possible.
For example, you need image.jpg to pair with image.jpg.reco, video.mp4 to pair with video.mp3.reco, and so on.
As soon as you have some pairs of encrypted and original files, follow the steps below to decrypt files locked by STOP/DJVU ransomware.
- Upload a pair of original and encrypted files via Emsisoft Decryption page and click SUBMIT. The form will inform you if you’re uploading too small files.
- Once you click SUBMIT, wait patiently until your files are processed.
- At this point, you will be provided with STOP/DJVU decrypt tool download link. Download it and, once complete, open it.
- In UAC prompt, press Yes.
- Next, click Add folder and choose file locations you want to scan and decrypt files with specific file extension.
- Click Decrypt.
- If the decryptor won’t be capable of recovering specific file types, train it by uploading another file pair to the link provided in Step#1. Repeat with different file type pairs until you restore as many files as possible.
Method 3. Decrypt .puma, .pumas, .pumax, .INFOWAIT, .DATAWAIT files
Victims whose files were infected with .puma, .pumax, .pumas, .INFOWAIT and .DATAWAIT ransomware versions can use STOP Puma decrypter to recover their files.
Victims of this ransomware variants received ransom notes called !readme.txt with such contents:
================ !ATTENTION PLEASE! ================
Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail [email protected] send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours. =========================================
E-mail address to contact us: [email protected]
Reserve e-mail address to contact us:
[email protected] Your personal id: 3346se9RaIxXF9m45nsmx7nL3bVudn91w4SNY8URDVa
To Decrypt files locked by STOP/DJVU Puma variants, follow these instructions:
- Create file pairs as explained in Method#2.
- Download DJVU Puma Decryptor by Emsisoft.
- Open the decryptor and click Yes in the User Account Control prompt.
- Upload encrypted and original file copies to the decryptor and, if required, ransom note file. Click Start.
- The STOP/DJVU Decryptor will display decryption details. Press OK.
- Choose Add folder and choose to include files, locations or simply partitions to scan and recover locked files.
- Click Decrypt.
We hope that you found this tutorial helpful and you managed to decrypt files infected by DJVU ransomware successfully. We strongly recommend you to read ransomware prevention tips to avoid similar malware attacks in the future.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.