BOOT ransomware virus is a strain of DJVU malware
Contents
BOOT ransomware virus is a file-encrypting malware from STOP/DJVU ransomware family (v0167). It encrypts all files on victim’s computer and connected cloud accounts using AES/RSA cryptography, making them impossible to open. The malware marks each file with .boot file extension and then creates a ransom note in _readme.txt file, which contains instructions regarding data recovery.
The ransom note left by ransomware developers informs the user that all photos, databases, documents and other files have been encrypted, and the only way to restore them is to pay a ransom in Bitcoin.
The criminals suggest sending some files to them to get them decrypted as a proof of the STOP/DJVU decryption tool’s functionality. There are two contact email addresses provided: gorentos@bitmessage.ch and gerentoshelp@firemail.cc.
The cybercriminals state ransom price rules same as in previously distributed NESA ransomware variant:
- If the victim pays within 72 hours after getting files encrypted with .boot file extensions, the ransom price is $490.
- If the victim fails to pay within 3 days, the ransom price doubles to $980.
The virus typically encrypts all files using ONLINE key (if it manages to connect to its command&control server). However, in some cases it might encrypt some files using OFFLINE key or a combination of both. Speaking of BOOT file decryption, it can be done only on files locked using OFFLINE key. You can also use your data backup to restore encrypted files.
However, in case your personal ID ends with t1, there might be some hope to restore your files because it indicates that files were locked with an OFFLINE key. See the main article about DJVU for decryption details.
In case your files were encrypted with ONLINE key, which is the most common way of encryption since each infected computer typically is connected to network – there are no BOOT decryption tools available.
There are no options to recover .boot file extension data encrypted by the virus using Volume Shadow Copies – the virus deletes them using a command prompt. It also runs these commands to stop particular Windows services and disable recovery options.
sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
Beware of additional malware on your system
The STOP ransomware (also known as DJVU) is known to distribute additional malware called Azorult password-stealing Trojan Several victims have already reported that the attackers managed to steal their passwords and use their financial data illegally.
It is clear that if you want to avoid that, you must remove Boot ransomware virus along with all other threats from your PC immediately. Please follow the instructions given at the end of this article. After that, change all your important passwords (online shops you used recently, other accounts connected to your credit cards) IMMEDIATELY.
Content of the ransom note (_readme.txt or _openme.txt) is shown below.
ATTENTION!
Boot ransomware note (_readme.txt)
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
[removed link]
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
gerentoshelp@firemail.cc
Your personal ID:
0165hTlGeRsMTHVpwDk4Ylm4RWx1y69zcacA5hSp3l60BnYwdby
Threat Summary
| Name | BOOT ransomware virus |
| Type | Ransomware (STOP/DJVU family) |
| Ransom note | _readme.txt, _openme.txt |
| Ransom price | $490-$980 |
| Encryption | AES combined with RSA |
| Decryption | Impossible; unless an offline key is used. |
| Distribution | Malicious emails, infected downloads |
| Removal | Remove using antivirus software |
Ransomware distribution tactics
Boot ransomware, as well as the whole STOP/DJVU virus variants are known to reach the targets via classic malware distribution channels, such as:
- Malicious spam;
- Malicious links;
- Compromised ad networks;
- Compromised web pages.
- Illegal downloads.
Please be very careful when browsing online to avoid unexpected data loss. Cyber criminals are highly professional nowadays and they can obfuscate a malicious file almost without leaving no traces. Resist the temptation to open an interesting e-mail you received but never waited for – it is most likely a trap that will destroy all of your files.
One wrong click on an email attachment or malicious link can turn all your files useless, so please be extremely attentive what you open when browsing the world wide web. We suggest reading these ransomware prevention guidelines.
BOOT ransomware removal tips
You must remove BOOT ransomware virus instantly due to the privacy hazards it causes. Some variants of this malware spreads along with Azorult data-stealing Trojan, so we strongly recommend using a robust malware cleaner – antivirus.
Start Boot ransomware removal using the self-help guide given below. It is extremely important to use an up-to-date antivirus so that it could have this virus’ detection details. Once you get rid of the malware on your computer, start data recovery using a backup you have. If you don’t, there may be no ways to restore your files.
If that’s the case, we still do not encourage you to pay the ransom – cyber criminals aren’t the ones to be trusted, so even after paying you might never get your files back.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
BOOT ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove BOOT ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
This article was first published on September 29, 2019 and updated on October 3, 2019.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Thank you for the education it is very helpful
I was a victim of Ransomware as a result of installing software that turned out to be a virus.
This one infected my PC and my network hard drive.
This is the STOP DJVU Ransomware which appends the .RUGJ. extension to all files
I tested Emsisoft Decryptor (for STOP DJVU, version 1.0.0.5)
Here is the result :
Error: No key for New Variant online ID:
Notice: this ID appears to be an online ID, decryption is impossible
I deleted _readme.txt from my computer, now I do not know who to contact. What is the solution to open the file, please cooperate
Thanks very much.
Hello mr Webb. Thank you for your guidance.
My system has been infected with Righ extension. Can you help me please?
Hi Norbert, personal ID ends with t1 in my case, can you please help in how to extract OFFLINE key ?
I cannot help to extract it. Only cyber security professionals can and they are currently working on it.
Thank you for the education it is very helpful. But the solution didn’t work for me. I sent one of the encrypted files to them and they decrypted it and sent it back to me. I don’t have the money to pay the Ransome now .
All my files type has changed to .boot . kindly let me know when there is a solution. Thank you ..
Dear Hamid,
Please check your personal ID. If it ends with t1, you might have a chance to recover some files as soon as the OFFLINE key will be extracted. Otherwise, chances are way lower…
muito obrigado pelas informações, esses otarios merecem apanhar, mas obrigado novamente
Glad we could help!