Eng_Chetan

Ransomware attack - (.DJVUR)

By Eng_Chetan, in Ransomware First Aid

Recommended Posts

Eng_Chetan    0

Eng_Chetan
Posted

My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data.

Thanks in advance

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted

me too...my PC on 5 -Jan 2019 morning got this ransomware

its  the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension

specially the books and multimedia and some rar and iso

i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file

any idea how to decrypte the files even maybe with a tool ----i need to rescue this files

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted (edited)

job done here you are sir:

https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70

i hope you find help for us

if you need anything just ask

also ...i think this is the infected file: 

http://snowfiles.com/tyubog90pdyk

be careful don't download and use this file on your PC it will destroy your data with .djvur encryption

only use it in a restricted machine-----------let me know if anything new found

Edited by GT500
Made link non-clickable.

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
20 hours ago, GT500 said:

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

no --it works fine .but it has some stupid ads

you must click the blue button until it stops showing ads then you can download it

also be careful a gain run it on a restricted PC or vm

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted
1 hour ago, imdead said:

you must click the blue button until it stops showing ads then you can download it

One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.

Share this post

Link to post
Share on other sites

askkali    0

askkali
Posted (edited) 
https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Edited by GT500
Made link non-clickable.

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted
15 hours ago, askkali said: 
https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted
2 hours ago, imdead said:

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.

Share this post

Link to post
Share on other sites

nemo74    0

nemo74
Posted
On ‎1‎/‎15‎/‎2019 at 1:15 AM, GT500 said:

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Thanx for this info.. I have now sent him my info

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
8 hours ago, Bikash586 said:

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

i think it is another variant of stop ransomware but this topic about djvur only

hmmm.if they found a way to break djvur then that might work with your too-----be patient

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
12 hours ago, GT500 said:

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

it doesn't work for me... Unfortunately it doesn't accept my id

how to send my id to him...maybe he  found a key for me

Share this post

Link to post
Share on other sites

washingtonbg    0

washingtonbg
Posted

Boa tarde tive meu computador infectado por um vírus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde tem  nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema.

A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória.

Desde já agradeço por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online

Este vírus criou vários arquivos ( _openme.txt) e extensões (.tfudeq) no qual achei que perdi tudo até chegar aqui. No bloco de texto _openme.txt segue isso

 

---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

---------------------------------------------------------------------------------------------------------------------------


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0


 

1.png
Download Image

PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq

_openme.txt

eu e mozão.jpg.tfudeq

Share this post

Link to post
Share on other sites

GT500    505

GT500
Posted

@washingtonbg If you don't know English, then feel free to run this through Google Translate or Bing Translator:
https://translate.google.com/
https://www.bing.com/translator

If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025

Please be sure to read those carefully before trying the decryption tool.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.