Eng_Chetan

Ransomware attack - (.DJVUR)

Recommended Posts

My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data.

Thanks in advance

Share this post


Link to post
Share on other sites

me too...my PC on 5 -Jan 2019 morning got this ransomware

its  the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension

specially the books and multimedia and some rar and iso

i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file

any idea how to decrypte the files even maybe with a tool ----i need to rescue this files

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

job done here you are sir:

https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70

i hope you find help for us

if you need anything just ask

also ...i think this is the infected file:

http://snowfiles.com/tyubog90pdyk

be careful don't download and use this file on your PC it will destroy your data with .djvur encryption

only use it in a restricted machine-----------let me know if anything new found

Edited by GT500
Made link non-clickable.

Share this post


Link to post
Share on other sites

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

Share this post


Link to post
Share on other sites
20 hours ago, GT500 said:

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

no --it works fine .but it has some stupid ads

you must click the blue button until it stops showing ads then you can download it

also be careful a gain run it on a restricted PC or vm

Share this post


Link to post
Share on other sites
1 hour ago, imdead said:

you must click the blue button until it stops showing ads then you can download it

One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.

Share this post


Link to post
Share on other sites
https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Edited by GT500
Made link non-clickable.

Share this post


Link to post
Share on other sites
15 hours ago, askkali said:
https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.

Share this post


Link to post
Share on other sites

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Share this post


Link to post
Share on other sites

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

Share this post


Link to post
Share on other sites
2 hours ago, imdead said:

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.

Share this post


Link to post
Share on other sites
On ‎1‎/‎15‎/‎2019 at 1:15 AM, GT500 said:

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Thanx for this info.. I have now sent him my info

Share this post


Link to post
Share on other sites

Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).

Share this post


Link to post
Share on other sites
8 hours ago, Bikash586 said:

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

i think it is another variant of stop ransomware but this topic about djvur only

hmmm.if they found a way to break djvur then that might work with your too-----be patient

Share this post


Link to post
Share on other sites

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

Share this post


Link to post
Share on other sites
12 hours ago, GT500 said:

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

it doesn't work for me... Unfortunately it doesn't accept my id

how to send my id to him...maybe he  found a key for me

Share this post


Link to post
Share on other sites

Boa tarde tive meu computador infectado por um vírus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde tem  nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema.

A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória.

Desde já agradeço por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online

Este vírus criou vários arquivos ( _openme.txt) e extensões (.tfudeq) no qual achei que perdi tudo até chegar aqui. No bloco de texto _openme.txt segue isso

 

---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

---------------------------------------------------------------------------------------------------------------------------


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0


 

1.png
Download Image

PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq

_openme.txt

eu e mozão.jpg.tfudeq

Share this post


Link to post
Share on other sites

@washingtonbg If you don't know English, then feel free to run this through Google Translate or Bing Translator:
https://translate.google.com/
https://www.bing.com/translator

If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025

Please be sure to read those carefully before trying the decryption tool.

Share this post


Link to post
Share on other sites

 

 

Hi GT500,

 

Here is my sample infected file by djvur.

https://www.mediafire.com/file/patwxtnkw7i5ihn/_DSC1088.JPG.djvur/file

Thanks.

Share this post


Link to post
Share on other sites

@ren normally I would recommend uploading a copy of the ransom note and an encrypted file to ID Ransomware in order to verify which ransomware you're dealing with, however I would believe that the "djvur" extension was only used by one of the Djvu variants of the STOP ransomware. Go ahead and following the instructions in this post to download and run STOPDecrypter to see if it can decrypt your files. If it can't find a key for you, then it will tell you your ID and MAC, which you can paste in a reply and I can forward to Michael Gillespie (the creator of STOPDecrypter) so that he can archive your information in case he is able to figure out your decryption key at some point in the future.

  • Like 1

Share this post


Link to post
Share on other sites

 

Hi GT500,

 

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

 

Thanks a lot..

Share this post


Link to post
Share on other sites
5 hours ago, ren said:

Hi GT500,

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Thanks a lot..

We would need the MAC addresses of the network devices on the infected computer as well. There's a batch file that can get them for you. Just download and open the ZIP archive at the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

After opening it, a folder will appear with a file named Get_MAC_Addresses. Just double-click on that file, and a black window will appear and disappear. Once that black window disappears, you will have a new file on your Desktop called MAC_Addresses. Just attach that "MAC_Addresses" file to a reply.

BTW: If you were using some sort of mobile WiFi/mobile broadband connection when your files were encrypted, then make sure it is at least connected to the computer when you run the "Get_MAC_Addresses" batch file.

Share this post


Link to post
Share on other sites
5 minutes ago, ren said:

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

Only one MAC address? If you have more than one network adapter, and that's the wrong MAC address, then it more than likely won't be possible to figure out your decryption key.

Admittedly it's late enough that the odds of being able to figure out the decryption key are low to begin with, however there's still a small chance as long as we have the correct MAC address.

Share this post


Link to post
Share on other sites

 

I just reformatted my computer. Here it is, I tried it again.

Here it is MAC: 30:9C:23:0D:68:F7

my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Get_MAC_Addresses.7z

 

Thanks a lot.

Share this post


Link to post
Share on other sites

MAC addresses of network adapters don't change after reformatting, so that MAC address is the same as the one you sent before.

Did you run the batch file? You keep attaching the batch file to your replies, and not the "MAC_Addresses" file it saves on your Desktop.

Share this post


Link to post
Share on other sites

 

Here it is. from the notepad sir.

 

Connection Name Network Adapter Physical Address    Transport Name                                            
=============== =============== =================== ==========================================================
Ethernet        Realtek PCIe GB 30-9C-23-0D-68-F7   \Device\Tcpip_{1D4A9C9D-AD18-45DE-9A68-40F3D31B26E5}      
 

 

Thanks.

Share this post


Link to post
Share on other sites

OK, thanks. I already sent your information to the creator of STOPDecrypter, so he's archived it in case he's able to figure out your decryption key in the future.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.