Kevin Zoll

@Hankash You can try using file recovery software, but expect it not to work. Depending on how much free space you have on your hard drive and the number of files that were encrypted it is entirely possible that any information referencing the original files in the file table has been overwritten and is not recoverable. Google search for file recovery software: https://www.google.com/search?client=firefox-b-1-d&q=file+recovery+software Google search for file recovery services: https://www.google.com/search?client=firefox-b-1-d&sxsrf=ACYBGNSlNFFV6G2BIbARhVNhb18Tter8UA%3A1579285173036&ei=tfohXpnrAcvbtAbfvbLQBA&q=file+recovery+services&oq=file+recovery+services&gs_l=psy-ab.3..0j0i22i30l7.76551.78286..79147...0.6..0.220.1201.0j7j1......0....1..gws-wiz.......0i71j0i67.9gMOHjKNupk&ved=0ahUKEwjZmfPdn4vnAhXLLc0KHd-eDEoQ4dUDCAo&uact=5 A word of caution file/data recovery services can be quite expensive. Another option is using a service like coveware to negotiate a lower ransom on your behalf. https://www.coveware.com/

Hello @GIAN, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Given enough time and resources, anything is possible. However, even the strongest super computer in use today will not be able to figure out the encryption key anytime in the next couple hundred thousand years.

Hello @wpuerta, Welcome to the Emsisoft Support Forums. The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.

Hello @Hankash, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Hello @Shenouda, Welcome to the Emsisoft Support Forums. Your ID is an online ID, and as such we are incapable of decrypting the files. Unless, someone releases the private encryption keys, whether that be law enforcement, security researchers, or the criminals, then there is no way to decrypt the files at this time.

All of what you describe can be done without disabling the AV. If disabling the AV is necessary because it trips on the driver, then were right back to my original statement. The problem is no the AV but the buggy driver and crappy coding. The advice to disable the AV is outdated and simply irresponsible of the party making the recommendation. Companies resort to that type of recommendation because they are too lazy to chase down the offending code and fix their code base.

There is always the possibility that anti-virus software can interfere with an update. Disabling the AV should be that last thing you do and only as a last resort. Anybody who suggests disabling the AV before installing the update is covering the fact that their coders write crappy code, that will trigger an AV because, well it is crappy code.

Hello @Jailson, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Hello @japowell11, Welcome to the Emsisoft Support Forums. Let's make sure of what we're dealing with. Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides: https://www.emsisoft.com/ransomware-decryption-tools/ Please be sure to read the information link on the results page, as whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery. You might try undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly. If the identification process shows a ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.

Hello @meet, Welcome to the Emsisoft Support Forums. If our decrypter was unable to determine the encryption keys for your encrypted files, then there is no way to decrypt the files without paying the ransom. Which is not something we recommend you do, unless you have no other choice.

Hello @Sharon7262, Welcome to the Emsisoft Support Forums. The ID is an online ID. Unfortunately, that means we cannot decrypted the files. Because STOP(DJVU) is know to installed additional malware on the system I would like to get two scan reports from a third-party tool we use to help with diagnosing issues with systems. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt

Hello @mopettit, Welcome to the Emsisoft Support Forums. No, we do not make a Mac OS version of our software are currently do not have plans to support Apple devices.

@Jana519 We have published version 1.0.0.2 of the STOPdjvu decrypter that resolves the issue of it not running. You can download the new decrypter from https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu

That private key is only good for the files of the victim who paid the ransom. Every victim has a private key and in some cases private keys are generated for each file. You cannot use a private key that was generated for a different system to decrypt your files.