According to information previously posted on the Emsisoft Forum, they no longer have any method to decrypt STOP (DJVU) Ransomware unless the encryption occurred before the 29th of August 2019. That means there is no way to decrypt files with ONLINE ID and some recent forms of STOP (DJVU).
Victims can keep trying the Emsisoft STOP Djvu Decryptor IF infected with an OFFLINE KEY but at this point it appears...
Emsisoft has discontinued development and stopped all support of the decryptor.
NOTE: See Post #2 for tools (JpegMedic ARWE, JpegMedic, Media_Repair) which can be used to partially repair (not decrypt) JPEG and audio/video files (WAV, MP3, Mp4, M4V, MOV, 3GP) partially encrypted by ransomware.
Updated: 08/09/24
This topic is the primary support topic for assistance with STOP (DJVU) Ransomware. It includes an updated summary of this infection, it's variants and possible decryption solutions with instructions. Since switching to the New STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions as noted here by Amigo-A (Andrew Ivanov). Some of these 4-letter extensions have been used (repeated) more than one time but have different version numbers.
See Post #2 for a LIST OF STOP DJVU Extensions:.
Older variants of STOP Ransomware left files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt.
STOP Djvu* and newer variants typically will leave ransom notes named _openme.txt, _open_.txt or _readme.txt.
***IMPORTANT: @ ALL VICTIMS....
STOP (Djvu) Ransomware has two versions.
1. Old Version: Most older extensions, starting with .djvu (v013) up to .carote (v154)...decryption for most of these versions was previously supported by STOPDecrypter if infected with an OFFLINE KEY (and a few ONLINE KEYS). That same support has been incorporated into the new Emsisoft Decryptor/submission method for these old Djvu variants...the decrypter will only decrypt your files without submitting file pairs if you have an OFFLINE KEY. For ONLINE KEY infection, read the instructions for using the submission portal.
2. New Version: The newest extensions released around the end of August 2019 AFTER the criminals made changes....starting with .coharos (v146) were never supported by STOPDecrypter. However, OFFLINE IDs/KEYS for some newer variants have been obtained by Emsisoft and uploaded to their server. This is possible after a victim pays the ransom, receives a private key from the criminals and shares (donates) that key with the Emsisoft Team. ONLINE KEYS are UNIQUE for each victim and just like older versions, they are randomly generated in a secure manner and are impossible to decrypt without paying the ransom which is not advisable. Since ONLINE KEYS are unique and random for each victim, they cannot be shared or re-used by other victims.
As a result of the changes made by the criminals, STOPDecrypter no longer is supported...it was discontinued AND replaced October 18, 2019 with the Emsisoft STOP Djvu Decryptor developed by Emsisoft and Demonslay335 (Michael Gillespie). However, the same STOPDecrypter support was incorporated into the new Emsisoft decryptor/submission method for most old Djvu variants.
A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows you to decrypt files encrypted by 148 variants of the infection for free....anyone who was infected after August 2019 cannot be helped with this service. With that said, it may be possible to decrypt using an offline key, so even with these variants there may be some success.
EVERYONE should ONLY be using the Emsisoft STOP Djvu Decryptor <- Be sure to READ the INSTRUCTIONS in this article
The decryptor requires a working Internet connection in order to communicate with the Emsisoft server.
USING EMSISOFT DECRYPTOR FOR STOP DJVU RANSOMWARE:
Emsisoft STOP Djvu Decryptor <- official authorized download link
There are limitations on what files can be decrypted. For all versions of STOP Djvu, files can be successfully decrypted if they were encrypted by an offline key that we have. For Old Djvu, files can also be decrypted using encrypted/original file pairs submitted to the STOP Djvu Submission portal; this does not apply to New Djvu after August 2019.
If you were infected after August 2019, then you are encrypted with a new version. In order to decrypt any of these new versions an OFFLINE ID with corresponding private key is required. If there is no OFFLINE KEY for the variant you are dealing with, Emsisoft cannot help you unless an OFFLINE KEY is retrieved and added to the Emsisoft server. If an OFFLINE KEY is obtained, it will be pushed to the server and automatically added to the decryptor. When you run the decrypter, it connects to the Emisisoft server and checks for updates if you have an active Internet connection. As such, you should download the decryptor to see if Emsisoft has been able to gain access to an OFFLINE KEY which can decrypt your files.
If you are infected with the .puma, .pumas, .pumax extension or some UPPERCASE (.INFOWAIT, .DATAWAIT) extensions of the earlier STOP Ransomware variants, you should download and use the Emsisoft Decryptor for STOP Puma. The older .puma based variants used XOR encryption and these extensions can be decrypted by providing a single encrypted and original file pair over 150KB. The same applies to UPPERCASE extensions,,,provide a single encrypted and original file pair over 150KB.
Emsisoft STOP Djvu File Pairing Decryption Service does not support new variants if your files were encrypted after AUG 2019.
Notice: this service does not support the "New" variants that use RSA encryption. If your files were encrypted after August 2019, chances are it is the "New" version.
If you are able to use this service, be aware the decryptor can only decrypt files with the same first 5 bytes as what you submitted and you have to supply a file pair for each format you want to decrypt. A single file pair means an encrypted file AND a copy of its exact unencrypted original file (same size). Everyone can always find a clean unencrypted copy of an original file that was encrypted for a file pair in order to reconstruct/extrapolate the encryption keys.
- Files you downloaded from the Internet that were encrypted and you can download again to get the original.
- Pictures that you shared with family and friends that they can just send back to you.
- Pictures you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc)
- Attachments in emails you sent or received and saved.
- Files on an older computer, flash drive, external drive, camera memory card or iphone where you transfered data to the infected computer.
- Default or sample wallpapers/pictures that were shipped with your Windows version which you can get from another system running the same version.
ABOUT ONLINE & OFFLINE IDS / KEYS:
The Emsisoft STOP Djvu Decryptor supports and will only attempt to decrypt files if they were encrypted by one of the known STOP (Djvu) OFFLINE KEY's and some ONLINE ID's if a proper file pair is supplied to the submission portal as explained here by GT500.
For newer STOP (Djvu) variants, the criminals switched to a new cryptographically strong key protected by RSA Salsa20 algorithm. Every file is generated securely with a new key using UuidCreate (which internally uses CryptGenRandom) that cannot be brute-forced. The encryption is the exact same regardless of whether it is an ONLINE or OFFLINE KEY which encrypted your files.
If the malware is able to connect (communicate) with its command and control servers it will obtain and use a unique randomly generated ONLINE KEY which will allow it to keep encrypting files with that key from memory. The malware is programed to run itself on startup and a scheduled task every 5 minutes which allows it to keep repeating attempts to communicate with the servers and retrieve an ONLINE KEY. Without the master private RSA key that can be used to decrypt your files, decryption is impossible...the key is generated in a secure way that cannot be brute-forced. The public RSA key alone that encrypted the files is useless for decryption, therefore a malware sample of any particular variant is also useless for decryption since it only contains the public key.
If the malware is unable to connect (communicate) with its servers and fails to get an ONLINE KEY it will give up and resort to using an OFFLINE KEY. The OFFLINE KEY is a hard-coded built-in encryption KEY (used with a built-in OFFLINE ID) at the time the ransomware encrypted your files. Each variant extension only has one OFFLINE ID (a string of numbers and letters that identifies the infected computer to the ransomware) which generally ends in "t1" so they are usually easy to identify.
- cZs3TaUYZzXCH1vdE44HNr1gnD2LtTIiSFFYv5t1
- TLuCxxAdd5BLXYWIvnjsWaCNR5lWoznhlRTSott1
Since the OFFLINE KEY and ID only change with each variant/extension, everyone who has had their files encrypted by the same variant will have the same ID and the files will be decryptable by the same key (or "private key" in the case of RSA encryption).
- Decryption of new STOP (Djvu) variants is possible IF infected with an OFFLINE KEY using the Emsisoft Decryptor only after obtaining and sharing the corresponding private key from victims who paid the ransom for a specific variant. OFFLINE KEYS will work for ALL victims who were encrypted by the same key. If there is no OFFLINE KEY available for any specific variant, then your files cannot be decrypted at this time. We have no way of knowing when or if a private key for an OFFLINE ID will ever be recovered and shared with Emsisoft.
However, at this point it appears Emsisoft has discontinued development and stopped all support of the decryptor.
- Decryption of new STOP (Djvu) variants is impossible IF infected by an ONLINE KEY without paying the criminals for that victim’s specific private key...these keys are unique for each victim and randomly generated in a secure manner. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY. Therefore, ONLINE ID's are NOT supported by the Emsisoft Decryptor for new STOP (Djvu) versions if infected with an ONLINE KEY.
Some victims have files encrypted by both an OFFLINE KEY and an ONLINE KEY due to the malware running multiple times and making repeated attempts to get an ONLINE KEY, sometimes successfully communicating with the command and control server, sometimes failing to communicate and resorting to using an OFFLINE KEY. In such scenarios the Emsisoft Decryptor will only decrypt those files encrypted with the OFFLINE KEY.
The Emsisoft Decryptor will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
In regards to new variants of STOP (Djvu) Ransomware...decryption of data requires an OFFLINE ID with corresponding private key. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them so the key can be added to their database. Emsisoft has obtained and uploaded to their server OFFLINE IDs for many (but not all) of the new STOP (Djvu) variants as noted in Post #9297 and elsewhere in the support topic.
There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft for any variant and no announcement by Emsisoft when they are recovered due to victim confidentiality. In fact many private OFFLINE KEYS are NEVER recovered and in most cases it's several months later when they are.
** If there is no OFFLINE ID for the variant you are dealing with, we cannot help you unless a private key is retrieved and added to the Emsisoft server / decryptor. If you run the Emsisoft Decryptor for a new variant with an OFFLINE ID which has not been recovered, the decrypter will indicate the following "error" under the Results Tab.
Error: No key for New Variant offline ID: ***************************t1 Notice: this ID appears to be an offline ID, decryption MAY be possible in the future.
That means for now, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE ID.
If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an ONLINE KEY and those files are not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. Again, ONLINE ID's for new STOP (Djvu) variants are not supported by the Emsisoft Decryptor.
If you run the Emsisoft Decryptor for a new variant with an ONLINE ID, the decryptor will indicate there is "no key" under the Results Tab and note it is impossible to decrypt.
Error: No key for New Variant online ID *************************** Notice: this ID appears to be an online ID. decryption is impossible
That means for now, if your files were encrypted with an ONLINE KEY, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for a possible future solution.
There are older STOP (DJVU) variants which are not decryptable. The Emsisoft decrypter is able to identify Old Variant IDs which it is unable to decrypt and note that under the Results Tab just as it does with new STOP (DJVU) variants which are not decryptable.
Unable to decrypt Old Variant ID: *************************** First 5 bytes: *************