Remove STOP/DJVU Ransomware Virus (2023 Guide)

STOP/DJVU in 2023: more than 670 versions, latest ones using JYPO, JYWD, JYOS, TYPO, TYOS extensions

DJVU ransomware (also known as STOP) is the most widespread file-encrypting virus of 2022/2023 that uses RSA cryptography algorithm to lock victim’s data on a computer or whole server running Windows OS, making files impossible to open or use. Victims typically download this virus from cracks or keygens or malicious email attachments. There are over 670 versions of the malware, the latest ones using .jypo, .jywd, .jyos, .typo, .tyos, .tywd, .tycx, .darj, .dazx, .dapo, .qarj, .qazx, .qapo, .craa, .coba, .coaq, .cosw, .qotr, .goaq, .goba, .gosw, .qowd, .qoqa, .iotr, .iowd, .hhmm, .hhee, .hhoo file extensions to mark corrupted files. It has been observed that this ransomware strain changes extensions used regularly, usually several times a week. Good news is that the majority of the victims can recover files using STOP/DJVU Decryptor by Emsisoft and Michael Gillespie, or hope to recover them in offline encryption key was used. Additionally, part of the files can be repaired using Media_Repair tool by DiskTuna. This guide below includes all the information you need about this ransomware.

Upon a successful computer infiltration, the STOP/DJVU ransomware installs its executable (.tmp.exe format file) in LocalAppData folder and downloads several other .exe files (updatewin.exe, build.exe, build2.exe, 1.exe, 2.exe and 3.exe or similar).

1. [random chars].TMP.EXE – the main executable of ransomware.
2. 1.exe is designed to disable and remove Windows Defender virus’ definitions and shut down real-time scanning;
3. 2.exe modifies Windows hosts’ file so that the victim couldn’t navigate to security websites;
4. 3.exe functionality is unknown;
5. Updatewin.exe shows a fake Windows update window while the encryption procedure begins.

After these preparations, DJVU virus scans the system for personal files and encrypts the first 150 KB of them with cryptographic algorithms, so that the victims couldn’t access them anymore. The virus also adds random 334 bytes (includes RSA-encrypted key, ID and filemarker) to the actual file size. Consequently, the malware drops ransom notes (called _openme.txt or _readme.txt), which hold information regarding data decryption.

Update 2023 January 5th. In the beginning of 2023, the ransomware family is still extremely active and its main distribution method relies on illegal online downloads. On top of that, the malware launcher file samples collected during our research revealed a fact that STOP/DJVU versions often are triggered in tandem with information-stealing Trojans capable of extracting highly private information from infected computers. The names of discovered Trojans are RedLine, VIDAR, Azorult.

These Trojans can steal browser cookies, history, saved passwords, offline cryptocurrency wallets, banking details, also view, edit or delete victim’s files on computer or download more malware on the system.

Therefore, anyone facing such cybersecurity risks should know that STOP (DJVU) removal is simply an essential task that should not be delayed for long. For this matter, we recommend using an up-to-date and robust malware removal tool, such as INTEGO Antivirus. Do not try to remove the malware manually unless you are an advanced computer user.

What is more, we strongly suggest using RESTORO to repair virus damage on Windows OS files. Additionally, you MUST change all your passwords for accounts whose credentials you have chosen to save in your browser. Due to the password-stealing capability of the malware installed on your computer, you should consider your passwords compromised immediately and not take any risks.

Update 2020 January 18: On January 18th, a new version has been spotted again. At the ending of 2019, it was noticed that the ransomware developers slowed down with the virus’ distribution and stopped producing new versions at all. It is believed that they took some time off to cash out the earned money and rest before the new year. However, the appearance of KODC ransomware virus simply proves that earning millions from this virus in 2019 wasn’t enough – the nightmare for inattentive computer users is believed to evolve and continue.

The latest STOP/DJVU versions of January 2023 are DARJ DAZX, TYWD, TYCX, TYOS, TYPO, JYWD (find full list here).

REPAIR VIRUS DAMAGE

_readme.txt file says failure to pay up results in data loss

The ransom note instructs to purchase a DJVU decryptor software and a private key for a particular sum, typically $980. Nonetheless, the attackers suggest a 50% discount if the victim contacts them within 72 hours (3 days), selling the decryption tools for $490. In order to guarantee that decryption tools will be provided, attackers suggest decrypting one file for free.

To better understand how encryption/decryption works, let us provide an easy explanation. When files are encrypted, the malicious virus sends out information (in particular, private keys) to its remote servers. From there, keys can not be accessed by anyone but cybercriminals.

These keys are the only keys that can decrypt your data. However, in some cases, attackers leave some flaws in their malicious software, which allows malware analysts to find out what the private keys are.

The victim is then advised to contact one of the provided emails for further information. The attackers change their contact information regularly, but currently known email addresses are provided below.

• gorentos@bitmessage.ch;
• gorentos2@firewall.cc;
• helpshadow@india.com;
• restoredjvu@firemail.cc;
• pdfhelp@india.com;
• salesrestoresoftware@firemail.cc;
• salesrestoresoftware@gmail.com;
• restorefiles@firemail.cc;
• datarestorehelp@firemail.cc;
• datahelp@iran.ir;
• helpmanager@firemail.cc;
• helpmanager@iran.ir;
• restoredjvu@india.com;
• helpdatarestore@firemail.cc;
• helpmanager@mail.ch;
• restoreadmin@firemail.cc (first noticed in ZIPE variant);
• restoremanager@airmail.cc (first noticed in MOBA variant);
• helpteam@mail.ch (first noticed in YGKZ variant);
• helpmanager@airmail.cc;
• managerhelper@airmail.cc (first noticed in MOQS variant);
• manager@mailtemp.ch (first noticed in SSPQ variant);
• supporthelp@airmail.cc (first noticed in TISC variant);
• helprestoremanager@airmail.cc (spotted in IRFK variant);
• support@sysmail.ch (spotted in NQHD variant);
• supportsys@airmail.cc (spotted in FOPA variant);
• manager@time2mail.ch (spotted in MSJD variant);
• admin@helpdata.top (spotted in FDCV variant);
• support@bestyourmail.ch (spotted in RRBB variant);
• datarestorehelp@airmail.cc (spotted in VVYU variant);
• support@fishmail.top (spotted in POHJ variant);
• support@freshmail.top (spotted in ZNSM variant).

The ransom note stresses out that STOP/DJVU decryption tool isn’t available in any other way, however, it isn’t entirely true.

STOP/DJVU decrypt tool has been released on September 18, 2019, thanks to the work of Michael Gillespie and Emsisoft. Check this tutorial to download and learn how to use it.

First detected in 2018 by Michael Gillespie, The malware is actively distributed in 2019 and is continuously updated. Proof of this – new variants append various file extensions to cryptographically modified files. It is believed that .djvu file virus along with other variants is operated by a Turkish hacker group. The list of currently known file extensions is provided below.

List of file extensions used by STOP/DJVU ransomware variants

As a rule, ransomware appends file extensions to modified files to make them stand out. Currently known file extensions used by DJVU virus family are:

STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT,.djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad, .promorad2, .kroput, .kroput1, .charck, .pulsar1, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .browec, .norvas, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, ,vesad, .horon, .neras, .dalle, .lotep, .nusar, .litar, .truke, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, prandel, .zatrov, .masok, .ndarod, .access, .format, .brusaf, londec, .krusop, .nasoh, .nacro, .pedro, .mtogas, .coharos, .nuksus, .vesrato, .masodas, .stare, .cetori, .carote, .shariz, .gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .kuub, .noos, .reco, .xoza, .bora, .leto, .werd, .nols, .coot, .derp, .nakw, .toec, .mosk, .lokf, .peet, .grod, .kodg, .mbed, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .nbes, .mkos, .redl, .piny, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal, .sqpc, .mzlq, .koti, .covm, .pezi, .zipe, .nlah, .kkll, .zwer, .nypd, .usam, .tabe, .vawe, .moba, .pykw, .zida, .maas, .repl, .kuus, .erif, .kook, .nile, .oonn .vari, .boop, .nord, .geno, .kasp, .ogdo, .npph, .kolz, .copa, lyli, .moss, .foqe, .mmpa, .efji, .nypg, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .atek, .qlkm, .coos, .wbxd, .pola, .cosd, .plam, .ygkz, .cadq, .ribd, .reig, .tirp, .enfp, . ekvf, .ytbn, .fdcz, .urnb, .lmas, .wrui, .rejg, .pcqq, .igvm, .nusm, .ehiz, .paas, .pahd, .mppq, .qscx, .sspq, .iqll, .ddsg, .piiq, .leex, .neer, .miis, .zqqw, pooe, .lssr, .zzla, .wwka, .gujd, .ufwj, .moqs, .hhqa, .aeur, .guer, .nooa, .muuq, .reqg, .hoop, .orkf, .iwan, .lqqw, .efdc, .wiot, .koom, .rigd, .tisc, .nqsq, .irjg, .vtua, .maql, .zaps, .rugj, .rivd, .cool, .palq, .irfk, .stax, .qdla, .qmak, .futm, .iisa, .pqgs, .pqgs, .robm, .rigj, .moia, .yqal, .mljx, .yjqs, .shgv, .hudf, .nnqp, .xcmb, .sbpg, .miia, .loov, .dehd, .vgkf, .nqhd, .zaqi, .yber, .vfgj, .fhkf, .maak, .qqqw, .qqqe, .yoqs, .bbbw, .maiv, .bbbe, .bbbr, .qqqr, .cuag, .iips, .ccps, .qnty, .ckae, .eucy, .gcyi, .ooii, .rtgf, .jjtt, .fgui, .fgnh, .sdjm, .iiof, .vyia, .qbaa, .fopa, .vtym, .kqgs, .xcbg, .bpqd, .vlff, .eyrv, .uigd, .rguy, .mmuz, .hfgd, .kkia, .ssoi, .pphg, .wdlo, .kxde, .udla, .gtys, .mpag, .voom, .tuid, .uyjh, .ghas, .qall, .hajd, .qpss, .dwqs, .nuhb, .msjd, .ygvb, .dmay, .jhdd, .dewd, .jhbg, .jhgn, .mmob, .ttii, .hhjk, .sijr, .bbnm, .egfg, .xcvf, .mine, .kruu, .byya, .ifla, .errz, .dfwe, .fdcv, .fefg, .nnuz, .qlln, .zpps, .ewdf, .uihj, .zfdv, .rrcc, .rrbb, .rryy, .bnrs, .eefg, .bbyy, .bbii, .bbzz, .eijy, .efvc, .hkgt, .lloo, .lltt, .llee, .llqq, .eiur, .dkrf, .ghsd, .jjyy, .jjww, .hhew, .hhqw, .hheo, .ggew, .ggwq, .ggeo, .oori, .ooxa, .hhyu, .vvew, .vveo, .vvwq, .vvyu, .ccyu, .ccew, .cceo, .ccza, .qqlc, .qqlo, .qqmt, .qqri, .qqkk, .qqpp, .qqjj, . oovb, .oodt, .oopu, .mmpu, .mmdt, .mmvb, .eewt, .eemv, .aawt, .aamv, .aabn, .aayu, .eebn, .eeyu, .ofoq, .oflg, .ofww, .adww, .adlg, .towz, .tohj, .powz, .pohj, .tuis, .tury, .nuis, .nury, .powd, .pozq, .bowd, .bozq, .zate, .zatp, .fatp, .fate, .tcvp, .tcbu, .kcbu, .kcvp, .uyro, .uyit, .btnw, .maos, .matu, .mppn, .mbtf, .bttu, .btos, .bpsm, .znto, .znsm, .isal, .iswr, .isza, .manw, .bpto, .bpws, .zoqw, .zouu, .poqw, .pouu, .mztu, .mzqw, .mzop, .assm, .erqw, .erop, .vvmm, .vvoo, .hhee, .hhmm, .hhoo, .iotr, .iowd, .ioqa, .iotr, .iowd, .qowd, .qoqa, .qotr, .goba, .goaq, .gosw, .coaq, .cosw, .coba, .qarj, .qazx, .qapo, .craa, .dapo, .darj, .dazx, .tycx, .tywd, .tyos, .typo, .jyos, .jywd, .jypo and others.

The first thing you must do if you got infected by this ransomware is to remove DJVU ransomware virus from the system. If you do not know how to do it safely, read instructions provided below the article.

REPAIR VIRUS DAMAGE

Distribution techniques used to spread this ransomware threat

In general, ransomware viruses are executable files that can be obfuscated and transmitted to victims’ computers using a variety of methods. For instance, the executable file, which delivers the malicious payload, can arrive in a ZIP file or can come in a form of a JavaScript file which downloads and runs the ransomware on a computer.

In simple terms, to avoid ransomware, be careful when browsing online or opening emails.

Norbert Webb

Speaking of Djvu ransomware, its distribution methods include malicious email spam, infected websites, illegal downloads (such as KMSPico activator, key generators or cracks), or vulnerabilities in software or operating system installed on a computer.

Speaking of ransomware prevention, the best way to protect yourself is to keep your OS up to date, as well as software installed on your PC. In addition, don’t forget to bypass suspicious websites online, unexpected emails with attachments or links and never look at illegal downloads. Finally, we suggest reading about more sophisticated ransomware distribution techniques used in MAZE or MATRIX ransomware attacks.

Decrypt STOP/DJVU-encrypted files (148 extensions supported)

Victims of this ransomware can recover their files for free using Emsisoft Decryptor for STOP DJVU 2023. Thanks to the hard work of Emsisoft and Michael Gillespie, victims can decrypt their files without paying a ransom to the cybercriminals.

The said tool works for over 148 DJVU ransomware variants out of over 200. The decryptor can decrypt files encrypted by certain ransomware versions (see file extension list below). Most of the decryption is available for victims who were affected by offline keys or are able to get exact original encrypted data copies.

STOP/DJVU decryptor supported extensions list (2023 January)

.hets, .msop, .kodg, .mbed, .peet, .gero, .hese, .seto, .peta, .meds, .domn, .nols, .werd, .coot, .derp, .meka, .mosk, .bora, .reco, .kuub, noos, .nesa, .karl, .kvag, .moka, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .godes, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .radman, .ferosas, .rectot, .rezuc, .stone, .skymap, .mogera, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .puma, .pumax, .pumas, .DATAWAIT, .INFOWAIT, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap.

If your encrypted files were marked with one of the listed extensions, see the guide on how to decrypt files locked by STOP/DJVU ransomware.

How to identify if files were encrypted with offline or online keys

STOP/DJVU ransomware first tries to connect to a remove Command & Control server. If it succeeds, it requests an unique encryption key to use on victim’s files. This is called online encryption method.

However, in case there are connectivity issues, and the ransomware fails to connect to the remote server to get the online key, it uses an offline key which is coded into the virus itself. This key is the so-called offline encryption key, and there is only one decryption key for it.

Once someone also affected with offline key pays for the decryption key and shares it with cybersecurity experts, the decryption tool can be updated. Therefore, it is impossible to say how long you’ll have to wait for decryption, since it is unknown when someone’s going to share the key with the cybersecurity experts. The offline encryption cases are also considered more rare than online cases.

IMPORTANT: For the newer DJVU versions starting from August 2019, the majority of files can only be decrypted if they were ciphered with an OFFLINE key.
You should check your personal IDs in C:\SystemID\PersonalID.txt file. If any of the keys end with t1, it means an offline key was used. However, it takes time for the researchers to extract offline keys, so be patient.

A simple example for RECO file extension virus: if personal ID is hvKVwn4fNn8A1rpjC19CUFmS1ySGycmqdrz89zt1, data can be decrypted.

Additionally, the newest versions such as .boop, .nile, .vari cannot be decrypted at the moment.

Please keep in mind that there is no Emsisoft Decryptor for STOP DJVU Online Key encryption.

Some DJVU encrypted files can be repaired

Good news for STOP/DJVU ransomware victims is that DiskTuna has released a small file repair tool (repair – not decrypt, so some data loss is expected). The tool allows to repair MP3, WAV, MP4, 3GP, MOV, M4V format files. This can be done due to the fact that the ransomware encrypts only the first 150 KB of file, therefore audio and video files can be repaired and still play, although some data loss at the beginning is expected.

The tool requires a reference file to work, so an example file must be created on the same device using same settings (such as shot on a camera with replicated settings used to create encrypted file).

Currently, the tool fails to work with extremely large files, but update is expected to roll out shortly.

The tool was made available to the public thanks to work of researchers Nguyễn Vũ Hà and Joep van Steen. You can read more about the tool usage in this guide or on the official DiskTuna’s blog.

Avoid fake STOP/DJVU decryptors used to spread ZORAB ransomware

How to decrypt djvu files, stop ransomware decryptor and other terms are the most popular search queries among victims of this ransomware. That said, criminals know that the victims are desperate to restore their files and will download anything that can help even a little. However, if you are a victim of this cyber attack, you should know that developers of another ransomware, namely ZORAB, are using fake STOP/DJVU decryption tool download link to spread its own malware. In other words, imagine a poor victim trying to find a tool that helps and downloading it, only to have his/hers own corrupted files encrypted twice.

The fake Decrypter DJVU tool asks to enter victim’s personal ID and extension of the virus, then click the button Start Scan. However, once the victim clicks the button, the virus will extract crab.exe executable and saves it to the %Temp% folder. The ransomware is an executable for ZORAB ransomware and will start encrypting victim’s files, adding .zrb or another extension to target files. The ransom notes dropped by this virus are called –-DECRYPT–ZORAB.txt.ZRB.

Remove DJVU ransomware and decrypt your files

STOP/DJVU ransomware removal is an essential part of protecting your PC after a cyber attack. For this reason, please follow the guidelines given below to eliminate the described virus from your computer successfully.

You must remove DJVU ransomware virus along with other malware it installs, therefore we recommend using a good anti-malware or antivirus software to wipe remains of bad software from your computer. Our team suggests using VB100 certified software – INTEGO Antivirus. To repair virus damage on Windows OS default files, consider installing RESTORO.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

This post was first published on August 13, 2019, and updated on January 5th, 2023.