Eng_Chetan 0 Posted January 7, 2019 Report Share Posted January 7, 2019 My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data. Thanks in advance Quote Link to post Share on other sites
imdead 0 Posted January 7, 2019 Report Share Posted January 7, 2019 me too...my PC on 5 -Jan 2019 morning got this ransomware itsĀ the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension specially the books and multimedia and some rar and iso i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file any idea how to decrypte the files even maybe with a tool ----i need to rescue this files Quote Link to post Share on other sites
GT500 853 Posted January 8, 2019 Report Share Posted January 8, 2019 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Link to post Share on other sites
imdead 0 Posted January 8, 2019 Report Share Posted January 8, 2019 (edited) job done here you are sir: https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70 i hope you find help for us if you need anything just ask also ...i think this is the infected file: http://snowfiles.com/tyubog90pdyk be careful don't download and use this file on your PC it will destroy your data with .djvur encryption only use it in a restricted machine-----------let me know if anything new found Edited January 8, 2019 by GT500 Made link non-clickable. Quote Link to post Share on other sites
GT500 853 Posted January 8, 2019 Report Share Posted January 8, 2019 That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads? Quote Link to post Share on other sites
imdead 0 Posted January 9, 2019 Report Share Posted January 9, 2019 20 hours ago, GT500 said: That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads? no --it works fine .but it has some stupid ads you must click the blue button until it stops showing ads then you can download it also be careful a gain run it on a restricted PC or vm Quote Link to post Share on other sites
GT500 853 Posted January 9, 2019 Report Share Posted January 9, 2019 1 hour ago, imdead said: you must click the blue button until it stops showing ads then you can download it One of our malware analysts already did that, and the downloaded file did not appear to be ransomware. Quote Link to post Share on other sites
askkali 0 Posted January 10, 2019 Report Share Posted January 10, 2019 (edited) https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1 Ā i found djuvr from here. Edited January 10, 2019 by GT500 Made link non-clickable. Quote Link to post Share on other sites
GT500 853 Posted January 10, 2019 Report Share Posted January 10, 2019 15 hours ago, askkali said: https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1 Ā i found djuvr from here. Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful. Quote Link to post Share on other sites
infecteddjvur 0 Posted January 12, 2019 Report Share Posted January 12, 2019 hi, Ā is there any update on this ransomware .djvur? anyway to decrypt the file? Ā Quote Link to post Share on other sites
infecteddjvur 0 Posted January 12, 2019 Report Share Posted January 12, 2019 i have uploaded a sample fileĀ Ā https://id-ransomware.malwarehunterteam.com/identify.php?case=d32adb657034fd2e416b4b7f28aa7d5fcd9d69bc Quote Link to post Share on other sites
GT500 853 Posted January 15, 2019 Report Share Posted January 15, 2019 It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people withĀ possiblyĀ decrypting their files. There is more information at the following links:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935 Quote Link to post Share on other sites
imdead 0 Posted January 15, 2019 Report Share Posted January 15, 2019 if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link I'm proud to check it Quote Link to post Share on other sites
GT500 853 Posted January 15, 2019 Report Share Posted January 15, 2019 2 hours ago, imdead said: if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link I'm proud to check it We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately. Quote Link to post Share on other sites
nemo74 0 Posted January 16, 2019 Report Share Posted January 16, 2019 On ā1ā/ā15ā/ā2019 at 1:15 AM, GT500 said: It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people withĀ possiblyĀ decrypting their files. There is more information at the following links:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935 Thanx for this info.. I have now sent him my info Quote Link to post Share on other sites
GT500 853 Posted January 16, 2019 Report Share Posted January 16, 2019 Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news). Quote Link to post Share on other sites
Bikash586 0 Posted January 17, 2019 Report Share Posted January 17, 2019 Hi , My PCĀ got infectedĀ with DJVUT extensionĀ is there any solution to get rid of it . Since I formattedĀ my PCĀ Ā I am left with withĀ this extension . Hope I will getĀ help from this site. 01 - Track.MP3.djvut _openme.txt Quote Link to post Share on other sites
imdead 0 Posted January 17, 2019 Report Share Posted January 17, 2019 8 hours ago, Bikash586 said: Hi , My PCĀ got infectedĀ with DJVUT extensionĀ is there any solution to get rid of it . Since I formattedĀ my PCĀ Ā I am left with withĀ this extension . Hope I will getĀ help from this site. 01 - Track.MP3.djvut _openme.txt i think it is another variant of stop ransomware but this topic about djvur only hmmm.if they found a way to break djvur then that might work with your too-----be patient Quote Link to post Share on other sites
GT500 853 Posted January 17, 2019 Report Share Posted January 17, 2019 Michael Gillespie made a decrypter for this ransomware, however please note that itĀ only worksĀ if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165 Quote Link to post Share on other sites
imdead 0 Posted January 18, 2019 Report Share Posted January 18, 2019 12 hours ago, GT500 said: Michael Gillespie made a decrypter for this ransomware, however please note that itĀ only worksĀ if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165 it doesn't work for me... Unfortunately it doesn't accept my id how to send my id to him...maybe heĀ found a key for me Quote Link to post Share on other sites
GT500 853 Posted January 18, 2019 Report Share Posted January 18, 2019 You can contact Michael privately on BleepingComputer, Twitter, or on our forums:https://www.bleepingcomputer.com/forums/u/726225/demonslay335/https://twitter.com/demonslay335https://support.emsisoft.com/profile/44427-demonslay335/ Quote Link to post Share on other sites
imdead 0 Posted January 19, 2019 Report Share Posted January 19, 2019 20 hours ago, GT500 said: You can contact Michael privately on BleepingComputer, Twitter, or on our forums:https://www.bleepingcomputer.com/forums/u/726225/demonslay335/https://twitter.com/demonslay335https://support.emsisoft.com/profile/44427-demonslay335/ yes-- i send him samples....may be he will find a solution Quote Link to post Share on other sites
washingtonbg 0 Posted January 20, 2019 Report Share Posted January 20, 2019 Boa tarde tive meu computador infectado por um vĆrus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde temĀ nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema. A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória. Desde jĆ” agradeƧo por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online Este vĆrus criou vĆ”rios arquivos ( _openme.txt) e extensƵes (.tfudeq) no qual achei que perdi tudo atĆ© chegar aqui. No bloco de texto _openme.txt segue isso Ā ---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. --------------------------------------------------------------------------------------------------------------------------- To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 Ā PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq _openme.txt eu e mozĆ£o.jpg.tfudeq Quote Link to post Share on other sites
GT500 853 Posted January 21, 2019 Report Share Posted January 21, 2019 @washingtonbgĀ If you don't know English, then feel free to run this through Google TranslateĀ or Bing Translator:https://translate.google.com/https://www.bing.com/translator If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025 Please be sure to read those carefully before trying the decryption tool. Quote Link to post Share on other sites
ren 0 Posted April 3, 2019 Report Share Posted April 3, 2019 Ā Ā Hi GT500, Ā Here is my sample infected file by djvur. https://www.mediafire.com/file/patwxtnkw7i5ihn/_DSC1088.JPG.djvur/file Thanks. Quote Link to post Share on other sites
GT500 853 Posted April 3, 2019 Report Share Posted April 3, 2019 @renĀ normally I would recommend uploading a copy of the ransom note and an encrypted file toĀ ID RansomwareĀ in order to verify which ransomware you're dealing with, however I would believe that the "djvur" extension was only used by one of the Djvu variants of the STOP ransomware. Go ahead and following the instructions inĀ this postĀ to download and run STOPDecrypter to see if it can decrypt your files. If it can't find a key for you, then it will tell you your ID and MAC, which you can paste in a reply and I can forward to Michael Gillespie (the creator of STOPDecrypter) so that he can archive your information in case he is able to figure out your decryption key at some point in the future. 1 Quote Link to post Share on other sites
ren 0 Posted April 30, 2019 Report Share Posted April 30, 2019 Ā Hi GT500, Ā Hope you could help me my ID isĀ 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg Ā Thanks a lot.. Quote Link to post Share on other sites
GT500 853 Posted April 30, 2019 Report Share Posted April 30, 2019 5 hours ago, ren said: Hi GT500, Hope you could help me my ID isĀ 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg Thanks a lot.. We would need the MAC addresses of the network devices on the infected computer as well. There's a batch file that can get them for you. Just download and open the ZIP archive at the following link:https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip After opening it, a folder will appear with a file namedĀ Get_MAC_Addresses. Just double-click on that file, and a black window will appear and disappear. Once that black window disappears, you will have a new file on your Desktop calledĀ MAC_Addresses. Just attach that "MAC_Addresses" file to a reply. BTW: If you were using some sort of mobile WiFi/mobile broadband connection when your files were encrypted, then make sure it is at least connected to the computer when you run the "Get_MAC_Addresses" batch file. Quote Link to post Share on other sites
ren 0 Posted April 30, 2019 Report Share Posted April 30, 2019 Here it isĀ MAC: 30:9C:23:0D:68:F7 Thanks Quote Link to post Share on other sites
ren 0 Posted April 30, 2019 Report Share Posted April 30, 2019 MAC_Address_Batch_File.zip Quote Link to post Share on other sites
GT500 853 Posted April 30, 2019 Report Share Posted April 30, 2019 5 minutes ago, ren said: Here it isĀ MAC: 30:9C:23:0D:68:F7 Thanks Only one MAC address? If you have more than one network adapter, and that's the wrong MAC address, then it more than likely won't be possible to figure out your decryption key. Admittedly it's late enough that the odds of being able to figure out the decryption key are low to begin with, however there's still a small chance as long as we have the correct MAC address. Quote Link to post Share on other sites
ren 0 Posted April 30, 2019 Report Share Posted April 30, 2019  I just reformatted my computer. Here it is, I tried it again. Here it is MAC: 30:9C:23:0D:68:F7 my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg Get_MAC_Addresses.7z  Thanks a lot. Quote Link to post Share on other sites
GT500 853 Posted May 2, 2019 Report Share Posted May 2, 2019 MAC addresses of network adapters don't change after reformatting, so that MAC address is the same as the one you sent before. Did you run the batch file? You keep attaching the batch file to your replies, and not the "MAC_Addresses" file it saves on your Desktop. Quote Link to post Share on other sites
ren 0 Posted May 2, 2019 Report Share Posted May 2, 2019 Yes I run the Get MAC address you sent me. It just opens then closes after. Ā Ā Quote Link to post Share on other sites
ren 0 Posted May 2, 2019 Report Share Posted May 2, 2019 Ā Here it is. from the notepad sir. Ā Connection Name Network Adapter Physical Address Ā Ā Transport Name Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā =============== =============== =================== ========================================================== Ethernet Ā Ā Ā Ā Realtek PCIe GB 30-9C-23-0D-68-F7 Ā \Device\Tcpip_{1D4A9C9D-AD18-45DE-9A68-40F3D31B26E5} Ā Ā Ā Ā Ā Thanks. Quote Link to post Share on other sites
GT500 853 Posted May 2, 2019 Report Share Posted May 2, 2019 OK, thanks. I already sent your information to the creator of STOPDecrypter, so he's archived it in case he's able to figure out your decryption key in the future. Quote Link to post Share on other sites
GT500 853 Posted October 19, 2019 Report Share Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Link to post Share on other sites
mim 0 Posted April 9, 2020 Report Share Posted April 9, 2020 My system got hacked.(.djvur) , what should i do to rescue my data Please help me if there is a way to decrypt the files.. Thank you! use to software STOPDecrypter [*] ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC (.djvur ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 00:24:1D:D1:EC:60 This info has also been logged to STOPDecrypter-log.txt and use to software Emsisoft Starting⦠File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC First 5 bytes: FFD8FFE000 Quote Link to post Share on other sites
GT500 853 Posted April 9, 2020 Report Share Posted April 9, 2020 1 hour ago, mim said: File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC First 5 bytes: FFD8FFE000 You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Link to post Share on other sites
mim 0 Posted April 13, 2020 Report Share Posted April 13, 2020 On 4/9/2020 at 2:08 AM, mim said: On 4/9/2020 at 3:49 AM, GT500 said: Ā You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Hello . I upload the file pair via online submission. now How to decrypt filesŲ The answer is as follows: Your file pair for ".JPG" files was processed. Please note this will only allow the tool to decrypt files that match the following criteria: ⢠Starts with the bytes:Ā FFD8FFE169 ⢠Were encrypted with ID:Ā w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC Quote Link to post Share on other sites
GT500 853 Posted April 14, 2020 Report Share Posted April 14, 2020 14 hours ago, mim said: How to decrypt filesŲ After uploading file pairs, just run the decrypter again, and it will use the keystream generated from your file pair to decrypt any files that have the same first 5 bytes:https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Quote Link to post Share on other sites
mim 0 Posted April 14, 2020 Report Share Posted April 14, 2020 (edited) Hi, thank you for your guidance, but when I use the softwareĀ Ā EmsisoftĀ The answer is as follows: Starting File: F:\Camera\VID_20160427_185716.mp4.djvur Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC First 5 bytes: 0000001866 Edited April 15, 2020 by GT500 Removed empty quote. Quote Link to post Share on other sites
GT500 853 Posted April 15, 2020 Report Share Posted April 15, 2020 18 hours ago, mim said: File: F:\Camera\VID_20160427_185716.mp4.djvur Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC First 5 bytes: 0000001866 That means you need to upload file pairs for that type of file. When you upload a file pair, the decrypter can only decrypt other files that have the same first 5 bytes as the file you used for your file pair. Normally this means all files of the same type (such as all MP4 files or all ZIP archives), however there are some exceptions to this where not all files of the same type will begin with the same 5 bytes (JPEG/JPG images and TXT files are good examples). Quote Link to post Share on other sites
mim 0 Posted April 15, 2020 Report Share Posted April 15, 2020 I'm sorry, whatever I do, the passwords will not be lost. Please check this example. ThankDSC_0030.JPG.djvur Quote Link to post Share on other sites
mim 0 Posted April 15, 2020 Report Share Posted April 15, 2020 This is the software response 22.txt Quote Link to post Share on other sites
Ardian 0 Posted April 15, 2020 Report Share Posted April 15, 2020 Hi! All my file in laptop does not open andĀ all the documents and image name take ".mpaj"Ā in the end of name befor infected.Ā I use this adressĀ https://decrypter.emsisoft.com/submit/stopdjvu/Ā Ā , but show meĀ Ā Invalid file pair; file pair must be at least 150KB I appreciate if you help. Quote Link to post Share on other sites
GT500 853 Posted April 16, 2020 Report Share Posted April 16, 2020 10 hours ago, mim said: I'm sorry, whatever I do, the passwords will not be lost. Please check this example. ThankDSC_0030.JPG.djvur That's a JPG image, and those are going to be difficult. In order to decrypt them, you need to have different file pairs forĀ every sourceĀ of JPG images. For instance, JPG images from one camera should all need one file pair, whereas JPG images from another camera will require a different file pair. Quote Link to post Share on other sites
GT500 853 Posted April 16, 2020 Report Share Posted April 16, 2020 10 hours ago, Ardian said: Invalid file pair; file pair must be at least 150KB That means the file you're trying to use for your file pair is too small. You'll need to pick a different file for your file pair. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.