Decrypt Files Locked by STOP/DJVU Ransomware (Updated 2022 Guide)

You can decrypt or repair files encrypted by STOP/DJVU ransomware virus: here’s how

STOP/DJVU Decryptor and Media_Repair are two main utilities which can help to repair OR decrypt files locked by STOP/DJVU ransomware. The decryptor is an encrypted-file decryption tool created by Emsisoft and Michael Gillespie and published on October 18, 2019. It is currently capable of decrypting 148 virus versions out of 160. The tool was developed by creating a side-channel attack on ransomware’s keystream. The tool can help victims recover their files without paying a ransom to the cyber criminals. In addition, a tool released by DiskTuna allows repairing certain file types, which you might also find helpful. The guide below will explain how to restore data using the said recovery tools.

DJVU ransomware is one of the most widespread crypto-malware variants of 2019/2020/2021/2022 which reportedly has affected more than half a million victims worldwide. The malicious virus was mostly distributed using malicious keygens, software cracks and tools like KMSPico. The malicious payload was strategically hidden in these popular, yet illegal files used to activate paid software for free.

According to Emsisoft, STOP DJVU Decryptor is capable of restoring data for about 70% of all victims. Unfortunately, 12 versions of the ransomware are the “improved” ones and these can’t be fully recovered at the moment. These emerged around August 2019.

DJVU ransomware victims should be aware that the virus’ versions based on their extensions are categorized into old and new variants. It’s been a while and all the current versions can be decrypted ONLY if offline encryption was used. Additionally, despite online or offline encryption used, you can repair certain file types using DiskTuna’s tool Media_Repair (find the usage guide below).

UPDATE 2020, July 4th. The most popular new STOP ransomware versions and possibility to recover files based on the key type are listed below.

DJVU versions that can be decrypted (offline encryption) – UPDATED LIST

Currently, Emsisoft Decryptor for STOP DJVU database includes decryption keys for the following ransomware variants (only if offline key was used, meaning that your one of the personal IDs in C:/SystemID/PersonalID.txt file ends in t1). Here is the updated list:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .peet, .mbed, .kodg, .zobm, .msop, .hets, .mkos, .nbes, .reha, .topi, .repp, .alka, .nppp, .npsk, .opqz, .mado, .covm, .usam, .vawe, .maas, .nile, .geno, .omfl, .sspq, .iqll, .ddsg, .wiot

Please be patient because offline keys for the latest 2022 versions – AAWT, AAMV, AABN, AAYU, EEYU, EEMV, EEWT, EEBN, MMDT, MMVB, MMPU, OOPU, OODT, OOVB, QQKK, QQPP, QQJJ, QQRI, QQLC, QQLO, QQMT, CCZA, CCEO, CCEW, CCYU, VVYU, VVEW, VVWQ, VVEO, HHYU, OOXA, OORI, GGEO, GGWQ, GGEW, HHEO, HHWQ, HHEW, JJWW, JJYY, GHSD, DKRF, EIUR, LLQQ, LLEE, LLTT, LLOO, EIJY, EFVC, HKGT, BBZZ, BBII, BBYY, EEFG, BNRS, RRYY, RRBB, RRCC, ZFDV, EWDF, UIHJ, ZPPS, QLLN, NNUZ, FEFG, FDCV, DFWE, ERRZ, IFLA, BYYA, KRUU, SIJR, BBNM, EGFG, XCVF, MINE, HHJK, TTII, MMOB, JHGN, JHBG, DEWD, JHDD, DMAY, MSJD, NUHB, YGVB, DWQS, QPSS, HAJD, QALL, GHAS, UYJH, TUID, UDLA, GTYS, MPAG, VOOM, KXDE, WDLO, PPHG, RGUY, SSOI, KKIA, HFGD, MMUZ, RGUY, UIGD, EYRV, VLFF, BPQD, XCBG, KQGQ, VTYM, QBAA, FOPA, VYIA, IIOF, SDJM, FGNH, FGUI, JJTT, RTGF, OOII, GCYI, EUCY, CKAE, QNTY, CCPS, IIPS, AVYU, CUAG, BBBE, BBBR, QQQR, MAIV, BBBW, YOQS, QQQE, QQQW, MAAK, FHKF, VFGJ, YBER, ZAQI, NQHD, VGKF, DEHD, LOOV, MIIA, SBPG, XCMB, NNQP, HUDF, SHGV, YJQS, MLJX, YQAL, MOIA, ROBM, RIGJ, PQGS, IISA, FUTM, QMAK, QDLA, STAX, IRFK, PALQ, COOL, RIVD, RUGJ, ZAPS, MAQL, VTUA, IRJG, NQSQ, TISC, RIGD, KOOM, EFDC, LQQW, IWAN, ORKF, HOOP, REQG, MUUQ, NOOA, GUER, AEUR, HHQA, MOQS, UFWJ, GUJD, WWKA, ZZLA, LSSR, POOE, ZQQW, MIIS, NEER, LEEX, PIIQ, QSCX, MPPQ, PAHD, PAAS, EHIZ, NUSM, IGVM, PCQQ, REJG, WRUI, LMAS, URNB, FDCZ, YTBN, EKVF, ENFP, TIRP, REIG, RIBD, CADQ, YGKZ, PLAM, .COSD, POLA, WBXD, COOS, QLKM, ATEK, IGAL, BOOA, IGDM, NOBU, WEUI, LISP, SGLH, EPOR, VVOA, AGHO, VPSH, JDYI, IISS, NYPG, EFJI, MMPA, FOQE, MOSS, LYLI, COPA, KOLZ, NPPH, OGDO, KASP, NORD, BOOP, VARI, OONN, KOOK, ERIF, KUUS, REPL, ZIDA, MOBA, PYKW, TABE, NYPD, ZWER, KKLL, NLAH, ZIPE, PEZI, KOTI, MZLQ, SQPC, MPAL, QEWE, LEZP, LALO, MPAJ, JOPE, OPQZ, REMK, FOOP, LOKD, REZM, MOOL, OOSS, MMNN, ROOE, BBOO, BTOS, NPSG, NOSU, KODC, LLOO, LLTT, LLEE ransomware versions are not found yet.

For these versions, the tool can decrypt files locked by OFFLINE key only. Keep in mind that the offline key takes time to extract, to the very last versions such as .aawt or .aamv might not be decryptable at the moment.

Please note that you must remove DJVU ransomware virus remains before you try to recover your files. We strongly recommend using a robust antivirus for this task. In addition, we strongly recommend scanning with RESTORO to repair virus damage on Windows OS files.

REPAIR VIRUS DAMAGE

Before you proceed into the article, check the list of supported extensions to determine whether you can decrypt STOP DJVU files.

How to check if online or offline key was used in encryption

If you have been attacked by this ransomware after August 2019, you need to determine whether online or offline key was used to lock your files.

The updated ransomware encrypts files using online keys (different for each victim) if it manages to connect to its Command & Control Server during the attack. Otherwise, it uses an offline key, which is the same one for all victims of one ransomware variant (with the same extension).

If an offline key was used, you have chances to restore data now or in the near future. Unfortunately, we cannot say the same about victims affected by the online keys.

To determine what keys were used, follow these steps.

1. Go to C: disk and then open SystemID folder.
2. Here, open PersonalID.txt file and look at the keys listed here.
3. If ANY of them end with t1, it means you can recover at least part of the data using STOP Decryptor.

Decryptable DJVU virus extensions list

.peet, .mbed, .kodg, .zobm, .msop, .hets, .gero, .hese, .grod, .seto, .peta, .moka, .meds, .kvag, .domn, .nesa, .nols, .werd, .coot, .derp, .meka, .mosk, .bora, .reco, .kuub, noos, .karl, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .godes, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .rezuc, .stone, .skymap, .mogera, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .puma, .pumax, .pumas, .DATAWAIT, .INFOWAIT.

Please note that some versions can be decrypted only if offline key was used. If your files were affected with online key and the decryption is impossible, you will see the following message: No key for New Variant.

Decrypt Files Locked by STOP/DJVU Ransomware

See the guide below on how to decrypt DJVU files using the decrypted by Emsisoft. This guide explains how to decrypt files locked by OFFLINE and ONLINE keys. Please check the next part of the tutorial if you’re infected with .puma, .pumax or .pumas variant.

Method 1. Decrypt Files Locked With OFFLINE Key

The guide described below helps to decrypt files locked with OFFLINE key for all DJVU ransomware versions created prior to August 2019.

Victims of these versions received ransom notes called _readme.txt with such contents. Please note that new versions like .nypd or .zwer use new contact emails: helpmanager@mail.ch or restoreadmin@firemail.cc.

ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
[removed link]
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
gerentoshelp@firemail.cc
Your personal ID:
9315hTlGeRsMht5nsgsaoejm4RWx1y69zcacA5hSp3l60BnY8f3q
asd3SGd8723bqD7SH8JmYm298WxkjhasiuSDFS35Qaidkhantjt1

If you were attacked with both ONLINE and OFFLINE keys, complete these steps and proceed to the next part of the tutorial.

1. Download STOP/DJVU Decryptor.
2. Open the decryptor. You will have to click Yes in User Account Control window.
3. Agree to License Terms by clicking Yes.
   
4. Next, add locations to decrypt by clicking Add Folder and selecting locations from your computer. By default, C:\ partition is added.
   
5. Click Decrypt to start decrypting your files.

Method 2. Decrypt Files Encrypted with ONLINE KEY

Before you can start to decrypt files locked by STOP/DJVU ransomware, you will need a pair of encrypted and unencrypted file copies for all file types you are willing to decrypt.

There are three requirements for file pairs:

• Must be at least 150Kb in size;
• Must be the same file that was encrypted;
• To decrypt different file types, you need file pairs for them, for example, .jpg, .doc, .mp3, etc.

How to find data pairs

An easy way to find some pairs is to check encrypted files in your downloads and trace the source where you downloaded them from. For instance, if you have downloaded some files from email or specific website recently, you can download a copy from email and check for encrypted version in your downloads.

Your downloads are likely to contain various file types that you have downloaded from the Internet. Try to remember exactly where you got them from so that you could download them again and have data pairs for as many different file extensions as possible.

For example, you need image.jpg to pair with image.jpg.reco, video.mp4 to pair with video.mp3.reco, and so on.

As soon as you have some pairs of encrypted and original files, follow the steps below to decrypt files locked by STOP/DJVU ransomware.

1. Upload a pair of original and encrypted files via Emsisoft Decryption page and click SUBMIT. The form will inform you if you’re uploading too small files.
   
2. Once you click SUBMIT, wait patiently until your files are processed.
3. At this point, you will be provided with STOP/DJVU decrypt tool download link. Download it and, once complete, open it.
4. In UAC prompt, press Yes.
5. Next, click Add folder and choose file locations you want to scan and decrypt files with specific file extension.
   
6. Click Decrypt.
7. If the decryptor won’t be capable of recovering specific file types, train it by uploading another file pair to the link provided in Step#1. Repeat with different file type pairs until you restore as many files as possible.

Method 3. Decrypt .puma, .pumas, .pumax, .INFOWAIT, .DATAWAIT files

Victims whose files were infected with .puma, .pumax, .pumas, .INFOWAIT and .DATAWAIT ransomware versions can use STOP Puma decrypter to recover their files.

Victims of this ransomware variants received ransom notes called !readme.txt with such contents:

================ !ATTENTION PLEASE! ================
Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail pumarestore@india.com send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours. =========================================
E-mail address to contact us: pumarestore@india.com
Reserve e-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch Your personal id: 3346se9RaIxXF9m45nsmx7nL3bVudn91w4SNY8URDVa

To Decrypt files locked by STOP/DJVU Puma variants, follow these instructions:

1. Create file pairs as explained in Method#2.
2. Download DJVU Puma Decryptor by Emsisoft.
3. Open the decryptor and click Yes in the User Account Control prompt.
4. Agree with Terms Of Use.
5. Upload encrypted and original file copies to the decryptor and, if required, ransom note file. Click Start.
   
6. The STOP/DJVU Decryptor will display decryption details. Press OK.
7. Choose Add folder and choose to include files, locations or simply partitions to scan and recover locked files.
   
8. Click Decrypt.

BONUS: REPAIR files locked by STOP/DJVU (Beta)

Media_Repair by DiskTuna is a free and secure tool that can help to repair a limited range of encrypted files. Since DJVU ransomware encrypts only 150kb of the files, Media_Repair attempts to fix them by making the non-encrypted part of the file playable again. The tool isn’t meant to decrypt the files. Currently, the software is capable of repairing file types listed below. Please pay attention that for formats marked with *, a reference file is required.

• WAV*;
• MP3;
• MP4*;
• M4V*;
• MOV*;
• 3GP*.

Just like Emsisoft’s tool, Media_Repair requires a reference file, in other words, a full, unaffected example file created on the same device or with the same software. That said, if you had videos encrypted that were shot with your camera, you should use the same settings used to create that video to create a reference video file for file repair. Same example goes with video editing software – try to duplicate video settings used to create a specific video you had encrypted.

Please be aware that the tool won’t be capable of fixing absolutely all kinds of files. For example, videos optimized for online streaming (fast start), can’t be repaired at the moment. The tool is also known to fail with large files, although this issue is likely to be fixed in future updates.

Media_Repair was made available thanks to researchers Nguyễn Vũ Hà and Joep van Steen.

How to use Media_Repair to fix encrypted files

Please follow the given steps carefully to attempt encrypted file repair using Media_Repair.

1. Download the tool from DiskTuna (official download link).
2. Open the location of the downloaded file, then right-click it and choose Extract to Media_Repair\.
3. Double-click the Media_Repair.exe file.
4. First, select file type you’re trying to repair.
   
5. Then, browse to the folder containing encrypted files or the reference file. You can use one or another to see whether the tool will succeed in repairing desired files.
6. Click the Test button in the upper right corner to see if the file can be repaired. 
   At this point, the repair success depends on several factors. Even if the tool repairs that the file can be fixed, it does not immediately guarantee the success.
   It depends on things such as the example correctness as the reference file and the size of the encrypted file. In case you receive a message that the file can’t be repaired, then most likely it can’t.
7. Now, select the reference file, and click the second button in the upper right corner. This will confirm the reference file to be used for corrupt data fixing. Please proceed only after the tool tells you that file pair is correct in step #6. 
   
8. Click the Play button to start repairing. If you wish to stop, click the Stop button to cancel the repair.
   

Important things to know about the repair tool:

• You must have a reference file. If you do not have it or can create it, no one else can make it for you.
• If you do not know the settings used to create the encrypted file, unfortunately, no one else will. Try experimenting and creating different reference files, then try the repair tool again.
• More supported file formats might be available in the future, although this is not promised.
• Please remember that the tool repairs the files, but doesn’t decrypt them. Some information loss might be expected;
• It doesn’t matter whether online or offline encryption was used by the ransomware, you can try the tool on the listed file formats.
• For more information about Media_Repair, please visit its developer’s website.

We hope that you found this tutorial helpful and you managed to decrypt files infected by DJVU ransomware successfully. We strongly recommend you to read ransomware prevention tips to avoid similar malware attacks in the future.