Kevin Zoll

Emsisoft Employee
  • Content Count

    18784
  • Joined

  • Last visited

  • Days Won

    177

Posts posted by Kevin Zoll


  1. Hello @Aravind,

    Thank you for contacting Emsisoft Support.

    That file extension belongs to the STOP/DJVU (New Variant) family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the STOP/DJVU (New Variant) family of ransomware.

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way to generate your decryption key.  When we do get a hold of an encryption key matching an Offline ID it will be added to our database of Private Encryption Keys.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  2. Hello,

    You have far too many antivirus applications installed.  You should have one and one antivirus installed.  Though there may not appear to be conflicts there will be performance issues cause by each application competing for the same resources.

    Your FRST logs are incomplete.  Changing tools.

    Download AdwCleaner and save it on your Desktop.

    1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
    2. Double click on adwcleaner.exe to run the tool.
    3. Click on the Scan button.
    4. After the scan has finished, click on the Clean button.
    5. Confirm each time with OK.
    6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop.
    7. Attach that log file to your reply.

     

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.


  3. Hello @masoudkhsh,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your files have an Online ID that means that the files encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
    3. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  4. Hello,

     

    Welcome to the Emsisoft Support Forums. Please read the entire instructions below. Yes, they are a bit lengthy and contain necessary administrative instructions as well as technical instructions.

     

    All users of the Emsisoft Support Forums who are in need of Malware Removal assistance are required to complete the procedures listed below:

     

    NOTE: You will want to print these instructions for reference, as you will perform all scans with all browsers closed.

     

    The majority of our support staff work Monday-Friday. We try very hard to answer all posts within 24-hours of the posting, but be aware that if you post anytime in the late afternoon or evening on Friday, or anytime on Saturday or Sunday, you will not receive an answer until Monday. Also, be aware that our support technicians may not be in the same time zone as you, therefore there could be several hours difference between when you post and the technician working your support case is available.

     

    The below guidelines are for the Help, my PC is infected! Support Forum. They are intended to help you provide the technician, working your thread, with enough information to start formulating a plan to clean your machine; and for you to leave the Emsisoft Support Forums with a safe, secure, functioning computer.

    • Emsisoft does not condone the use of Pirated/Illegal software. If such software is found on your computer, the technician assisting you will insist that the Pirated/Illegal software be removed. We reserve the right to refuse help to anyone who is unwilling to uninstall Pirated/Illegal software
    • We insist that anyone receiving help, here at the Emsisoft Support Forums, install an Anti-Malware program at a minimum to protect their system.
    • Start only one thread requesting help. Keep all your questions in your thread. DO NOT start a new topic.
    • If you don't know, stop and ask! Don't keep going on.
    • Continue to respond until you are given "All Clear" (Just because you can't see a problem doesn't mean it isn't there)
    • Once your case has been solved, the thread will be closed.
    • Your thread will be closed after 72-hours of no activity.
    • DO NOT use any form of Haxor, Leetspeak, Netspeak, IM speak and such in any postings on this forum. Use only proper spelling, grammar, punctuation, and capitalization. The more time the person helping you has to spend trying to figure out what you are saying, the longer it will take them to formulate a response.
    • DO NOT post any logs without first completing the steps in this guide, they will be deleted.
    • DO NOT copy and paste logs into your threads. All logs are to be attached to your post.

     

    Download to your Desktop:

     

    NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

     

    NOTE: If you are unable to download the tools from the infected system, the tools can be saved to and run from a USB flash drive.

     

    All scans are to be run in Normal Mode.

     

    WARNING: The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

     

    Let's get started:

     

    • Install and Run Emsisoft Emergency Kit (EEK):

     

    IMPORTANT If you have Emsisoft Anti-Malware (EAM) Installed do not install and use EEK. Instead run a custom scan with EAM and provided the EAM Scan report.

     

      • Double click EmergencyKitScanner.exe to install EEK
      • When the installation of EEK is complete the Emergency Kit scanner will run. NOTE: Make sure to enable PUPs detection.
      • Click "Yes" to Update Emsisoft Emergency Kit
      • Under "Scan" click-on "Malware Scan". IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted.
      • Save the scan log somewhere that you can find it.
      • Exit Emsisoft Emergency Kit.
    • Run Farbar Recovery Scan Tool (FRST):
      • Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.
      • Press the Scan button.
      • Farbar Recovery Scan Tool will produce the following logs:
        • FRST.txt
        • Addition.txt
    • Attach the following logs to your reply:
      • Emsisoft Emergency Kit log (C:\EEK\Reports)
      • FRST.txt
      • Addition.txt

     

    IMPORTANT NOTE: Any logs that are copied and pasted to a post will be removed from the post without being read. Do not alter or change the logs in any way.

     

    Once a Malware Removal Specialist has replied to your request for malware removal, they will handle your case from start to finish. You will have 72 hours to reply to any instructions given by the Malware Removal Specialist handling your case. Failure to comply with requests for information or instructions from the Malware Removal Specialist handling your case will result in the locking of your thread.


  5. Hello @Ramesh Vashishth,

    Thank you for contacting Emsisoft Support.

    That file extension belongs to the STOP/DJVU (New Variant) family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the STOP/DJVU (New Variant) family of ransomware.

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way to generate your decryption key.  When we do get a hold of an encryption key matching an Offline ID it will be added to our database of Private Encryption Keys.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  6. Hello @Roman21,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
    3. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  7. Hello @Ajay72,

    Thank you for contacting Emsisoft Support.

    That file extension belongs to the STOP/DJVU (New Variant) family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the STOP/DJVU (New Variant) family of ransomware.

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way to generate your decryption key.  When we do get a hold of an encryption key matching an Offline ID it will be added to our database of Private Encryption Keys.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  8. Hello @Aaditya,

    Thank you for contacting Emsisoft Support.

    That file extension belongs to the STOP/DJVU (New Variant) family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the STOP/DJVU (New Variant) family of ransomware.

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way to generate your decryption key.  When we do get a hold of an encryption key matching an Offline ID it will be added to our database of Private Encryption Keys.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  9. Thread Closed

     

    Reason: Lack of Response

     

    PM either Kevin, or Arthur to have this thread reopened.

     

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

     

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread


  10. Hello @Mücahit Erdem,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the files encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    8. Old Variant STOP/DJVU.  If our decryption tool cannot decrypt the files, submit file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
    9. Old Variant STOP/DJVU.  The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  11. Hello @tri bagus

    Thank you for contacting Emsisoft Support.

    NPPP is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the NPPP variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  12. Hello @Jonathan Lianlian,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
    2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
    3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    4. If your files have an Online ID that means that the files encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    8. Old Variant STOP/DJVU.  If our decryption tool cannot decrypt the files, submit file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
    9. Old Variant STOP/DJVU.  The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  13. @Rinoy

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. Old Variant STOP/DJVU.  If our decryption tool cannot decrypt the files, submit file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
    7. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

     


  14. 3 hours ago, sibu sharma said:

    i tried your decryption tool and its not working

    That is pretty vague.  What do you mean by it is not working?

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. Old Variant STOP/DJVU.  If our decryption tool cannot decrypt the files, submit file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
    7. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  15. Hello @SS726529

    Thank you for contacting Emsisoft Support.

    KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  16. Hello @potterlolo

    Thank you for contacting Emsisoft Support.

    OOSS is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the OOSS variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  17. Hello @Geraldreeves Dawn

    Thank you for contacting Emsisoft Support.

    ROOE is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the ROOE variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  18. Hello @Rohit chopra

    Thank you for contacting Emsisoft Support.

    DOMN is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the DOMN variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  19. Hello @AbleTech,

     

    Welcome to the Emsisoft Support Forums.

     

    If it is Dharma, then decryption is not possible.

     

    Let's make sure of what we're dealing with.

     

    Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:

     

    https://www.emsisoft.com/ransomware-decryption-tools/

     

    Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

     

    If the identification process shows ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.


  20. Hello @Anonymous1,

     

    Welcome to the Emsisoft Support Forums.

     

    Your files cannot be decrypted.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. Old Variant STOP/DJVU.  If our decryption tool cannot decrypt the files, submit file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
    7. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  21. Hello @hailmaiden

    Thank you for contacting Emsisoft Support.

    ALKA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the ALKA variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  22. Hello @Mr.Sate

    Thank you for contacting Emsisoft Support.

    REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
    6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.