Ransomware attack - (.DJVUR)

[Eng_Chetan 0]

My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data.

Thanks in advance

[imdead 0]

me too...my PC on 5 -Jan 2019 morning got this ransomware

its  the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension

specially the books and multimedia and some rar and iso

i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file

any idea how to decrypte the files even maybe with a tool ----i need to rescue this files

[GT500 564]

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

[imdead 0]

job done here you are sir:

https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70

i hope you find help for us

if you need anything just ask

also ...i think this is the infected file:

http://snowfiles.com/tyubog90pdyk

be careful don't download and use this file on your PC it will destroy your data with .djvur encryption

only use it in a restricted machine-----------let me know if anything new found

Edited January 8 by GT500
Made link non-clickable.

[GT500 564]

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

[imdead 0]

20 hours ago, GT500 said:

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

no --it works fine .but it has some stupid ads

you must click the blue button until it stops showing ads then you can download it

also be careful a gain run it on a restricted PC or vm

[GT500 564]

1 hour ago, imdead said:

you must click the blue button until it stops showing ads then you can download it

One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.

[askkali 0]

https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Edited January 10 by GT500
Made link non-clickable.

[GT500 564]

15 hours ago, askkali said:

https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.

[infecteddjvur 0]

hi,

 

is there any update on this ransomware .djvur? anyway to decrypt the file?

 

[infecteddjvur 0]

i have uploaded a sample file 

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=d32adb657034fd2e416b4b7f28aa7d5fcd9d69bc

[GT500 564]

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

[imdead 0]

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

[GT500 564]

2 hours ago, imdead said:

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.

[nemo74 0]

On ‎1‎/‎15‎/‎2019 at 1:15 AM, GT500 said:

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Thanx for this info.. I have now sent him my info

[GT500 564]

Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).

[Bikash586 0]

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

[imdead 0]

8 hours ago, Bikash586 said:

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

i think it is another variant of stop ransomware but this topic about djvur only

hmmm.if they found a way to break djvur then that might work with your too-----be patient

[GT500 564]

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

[imdead 0]

12 hours ago, GT500 said:

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

it doesn't work for me... Unfortunately it doesn't accept my id

how to send my id to him...maybe he  found a key for me

[GT500 564]

You can contact Michael privately on BleepingComputer, Twitter, or on our forums:
https://www.bleepingcomputer.com/forums/u/726225/demonslay335/
https://twitter.com/demonslay335
https://support.emsisoft.com/profile/44427-demonslay335/

[imdead 0]

20 hours ago, GT500 said:

You can contact Michael privately on BleepingComputer, Twitter, or on our forums:
https://www.bleepingcomputer.com/forums/u/726225/demonslay335/
https://twitter.com/demonslay335
https://support.emsisoft.com/profile/44427-demonslay335/

yes-- i send him samples....may be he will find a solution

[washingtonbg 0]

Boa tarde tive meu computador infectado por um vírus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde tem  nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema.

A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória.

Desde já agradeço por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online

Este vírus criou vários arquivos ( _openme.txt) e extensões (.tfudeq) no qual achei que perdi tudo até chegar aqui. No bloco de texto _openme.txt segue isso

 

---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

---------------------------------------------------------------------------------------------------------------------------

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

 

Download Image

PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq

_openme.txt

eu e mozão.jpg.tfudeq

[GT500 564]

@washingtonbg If you don't know English, then feel free to run this through Google Translate or Bing Translator:
https://translate.google.com/
https://www.bing.com/translator

If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025

Please be sure to read those carefully before trying the decryption tool.

[ren 0]

 

 

Hi GT500,

 

Here is my sample infected file by djvur.

https://www.mediafire.com/file/patwxtnkw7i5ihn/_DSC1088.JPG.djvur/file

Thanks.

[GT500 564]

@ren normally I would recommend uploading a copy of the ransom note and an encrypted file to ID Ransomware in order to verify which ransomware you're dealing with, however I would believe that the "djvur" extension was only used by one of the Djvu variants of the STOP ransomware. Go ahead and following the instructions in this post to download and run STOPDecrypter to see if it can decrypt your files. If it can't find a key for you, then it will tell you your ID and MAC, which you can paste in a reply and I can forward to Michael Gillespie (the creator of STOPDecrypter) so that he can archive your information in case he is able to figure out your decryption key at some point in the future.

[ren 0]

 

Hi GT500,

 

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

 

Thanks a lot..

[GT500 564]

5 hours ago, ren said:

Hi GT500,

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Thanks a lot..

We would need the MAC addresses of the network devices on the infected computer as well. There's a batch file that can get them for you. Just download and open the ZIP archive at the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

After opening it, a folder will appear with a file named Get_MAC_Addresses. Just double-click on that file, and a black window will appear and disappear. Once that black window disappears, you will have a new file on your Desktop called MAC_Addresses. Just attach that "MAC_Addresses" file to a reply.

BTW: If you were using some sort of mobile WiFi/mobile broadband connection when your files were encrypted, then make sure it is at least connected to the computer when you run the "Get_MAC_Addresses" batch file.

[ren 0]

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

[ren 0]

MAC_Address_Batch_File.zip

[GT500 564]

5 minutes ago, ren said:

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

Only one MAC address? If you have more than one network adapter, and that's the wrong MAC address, then it more than likely won't be possible to figure out your decryption key.

Admittedly it's late enough that the odds of being able to figure out the decryption key are low to begin with, however there's still a small chance as long as we have the correct MAC address.

[ren 0]

 

I just reformatted my computer. Here it is, I tried it again.

Here it is MAC: 30:9C:23:0D:68:F7

my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Get_MAC_Addresses.7z

 

Thanks a lot.

[GT500 564]

MAC addresses of network adapters don't change after reformatting, so that MAC address is the same as the one you sent before.

Did you run the batch file? You keep attaching the batch file to your replies, and not the "MAC_Addresses" file it saves on your Desktop.

[ren 0]

Yes I run the Get MAC address you sent me. It just opens then closes after.

 

 

[ren 0]

 

Here it is. from the notepad sir.

 

Connection Name Network Adapter Physical Address    Transport Name                                            
=============== =============== =================== ==========================================================
Ethernet        Realtek PCIe GB 30-9C-23-0D-68-F7   \Device\Tcpip_{1D4A9C9D-AD18-45DE-9A68-40F3D31B26E5}      
 

 

Thanks.

[GT500 564]

OK, thanks. I already sent your information to the creator of STOPDecrypter, so he's archived it in case he's able to figure out your decryption key in the future.