Eng_Chetan

Ransomware attack - (.DJVUR)

By Eng_Chetan, in Help, my files are encrypted!

Recommended Posts

Eng_Chetan    0

Eng_Chetan
Posted

My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data.

Thanks in advance

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted

me too...my PC on 5 -Jan 2019 morning got this ransomware

its  the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension

specially the books and multimedia and some rar and iso

i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file

any idea how to decrypte the files even maybe with a tool ----i need to rescue this files

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted (edited)

job done here you are sir:

https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70

i hope you find help for us

if you need anything just ask

also ...i think this is the infected file: 

http://snowfiles.com/tyubog90pdyk

be careful don't download and use this file on your PC it will destroy your data with .djvur encryption

only use it in a restricted machine-----------let me know if anything new found

Edited by GT500
Made link non-clickable.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
20 hours ago, GT500 said:

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

no --it works fine .but it has some stupid ads

you must click the blue button until it stops showing ads then you can download it

also be careful a gain run it on a restricted PC or vm

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
1 hour ago, imdead said:

you must click the blue button until it stops showing ads then you can download it

One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
15 hours ago, askkali said: 
https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
2 hours ago, imdead said:

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.

Share this post

Link to post
Share on other sites

nemo74    0

nemo74
Posted
On ‎1‎/‎15‎/‎2019 at 1:15 AM, GT500 said:

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Thanx for this info.. I have now sent him my info

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
8 hours ago, Bikash586 said:

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

i think it is another variant of stop ransomware but this topic about djvur only

hmmm.if they found a way to break djvur then that might work with your too-----be patient

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

Share this post

Link to post
Share on other sites

imdead    0

imdead
Posted
12 hours ago, GT500 said:

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

it doesn't work for me... Unfortunately it doesn't accept my id

how to send my id to him...maybe he  found a key for me

Share this post

Link to post
Share on other sites

washingtonbg    0

washingtonbg
Posted

Boa tarde tive meu computador infectado por um vírus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde tem  nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema.

A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória.

Desde já agradeço por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online

Este vírus criou vários arquivos ( _openme.txt) e extensões (.tfudeq) no qual achei que perdi tudo até chegar aqui. No bloco de texto _openme.txt segue isso

 

---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

---------------------------------------------------------------------------------------------------------------------------


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0


 

1.png
Download Image

PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq

_openme.txt

eu e mozão.jpg.tfudeq

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

@washingtonbg If you don't know English, then feel free to run this through Google Translate or Bing Translator:
https://translate.google.com/
https://www.bing.com/translator

If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025

Please be sure to read those carefully before trying the decryption tool.

Share this post

Link to post
Share on other sites

ren    0

ren
Posted

 

 

Hi GT500,

 

Here is my sample infected file by djvur.

https://www.mediafire.com/file/patwxtnkw7i5ihn/_DSC1088.JPG.djvur/file

Thanks.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

@ren normally I would recommend uploading a copy of the ransom note and an encrypted file to ID Ransomware in order to verify which ransomware you're dealing with, however I would believe that the "djvur" extension was only used by one of the Djvu variants of the STOP ransomware. Go ahead and following the instructions in this post to download and run STOPDecrypter to see if it can decrypt your files. If it can't find a key for you, then it will tell you your ID and MAC, which you can paste in a reply and I can forward to Michael Gillespie (the creator of STOPDecrypter) so that he can archive your information in case he is able to figure out your decryption key at some point in the future.

  • Like 1

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
5 hours ago, ren said:

Hi GT500,

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Thanks a lot..

We would need the MAC addresses of the network devices on the infected computer as well. There's a batch file that can get them for you. Just download and open the ZIP archive at the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

After opening it, a folder will appear with a file named Get_MAC_Addresses. Just double-click on that file, and a black window will appear and disappear. Once that black window disappears, you will have a new file on your Desktop called MAC_Addresses. Just attach that "MAC_Addresses" file to a reply.

BTW: If you were using some sort of mobile WiFi/mobile broadband connection when your files were encrypted, then make sure it is at least connected to the computer when you run the "Get_MAC_Addresses" batch file.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
5 minutes ago, ren said:

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

Only one MAC address? If you have more than one network adapter, and that's the wrong MAC address, then it more than likely won't be possible to figure out your decryption key.

Admittedly it's late enough that the odds of being able to figure out the decryption key are low to begin with, however there's still a small chance as long as we have the correct MAC address.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

MAC addresses of network adapters don't change after reformatting, so that MAC address is the same as the one you sent before.

Did you run the batch file? You keep attaching the batch file to your replies, and not the "MAC_Addresses" file it saves on your Desktop.

Share this post

Link to post
Share on other sites

ren    0

ren
Posted

 

Here it is. from the notepad sir.

 

Connection Name Network Adapter Physical Address    Transport Name                                            
=============== =============== =================== ==========================================================
Ethernet        Realtek PCIe GB 30-9C-23-0D-68-F7   \Device\Tcpip_{1D4A9C9D-AD18-45DE-9A68-40F3D31B26E5}      
 

 

Thanks.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

OK, thanks. I already sent your information to the creator of STOPDecrypter, so he's archived it in case he's able to figure out your decryption key in the future.

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post

Link to post
Share on other sites

mim    0

mim
Posted

My system got hacked.(.djvur) , what should i do to rescue my data
Please help me if there is a way to decrypt the files..
Thank you!

use to software
STOPDecrypter
[*] ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC (.djvur )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:24:1D:D1:EC:60
This info has also been logged to STOPDecrypter-log.txt
and
use to software
Emsisoft
Starting…

File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: FFD8FFE000

Share this post

Link to post
Share on other sites

GT500    812

GT500
Posted
1 hour ago, mim said:

File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: FFD8FFE000

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post

Link to post
Share on other sites

mim    0

mim
Posted
On 4/9/2020 at 2:08 AM, mim said:
On 4/9/2020 at 3:49 AM, GT500 said:

 

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    Hello . I upload the file pair via online submission. now
    How to decrypt files؟

    The answer is as follows:

    Your file pair for ".JPG" files was processed.

    Please note this will only allow the tool to decrypt files that match the following criteria:

    • • Starts with the bytes: FFD8FFE169
    • • Were encrypted with ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC

    Untitled.jpg
    Download Image

    Share this post

    Link to post
    Share on other sites

    mim    0

    mim
    Posted (edited)

    Hi, thank you for your guidance, but when I use the software  Emsisoft The answer is as follows:

    Starting

    File: F:\Camera\VID_20160427_185716.mp4.djvur
    Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
    First 5 bytes: 0000001866

    Edited by GT500
    Removed empty quote.

    Share this post

    Link to post
    Share on other sites

    GT500    812

    GT500
    Posted
    18 hours ago, mim said:

    File: F:\Camera\VID_20160427_185716.mp4.djvur
    Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
    First 5 bytes: 0000001866

    That means you need to upload file pairs for that type of file.

    When you upload a file pair, the decrypter can only decrypt other files that have the same first 5 bytes as the file you used for your file pair. Normally this means all files of the same type (such as all MP4 files or all ZIP archives), however there are some exceptions to this where not all files of the same type will begin with the same 5 bytes (JPEG/JPG images and TXT files are good examples).

    Share this post

    Link to post
    Share on other sites

    GT500    812

    GT500
    Posted
    10 hours ago, mim said:

    I'm sorry, whatever I do, the passwords will not be lost. Please check this example. ThankDSC_0030.JPG.djvur

    That's a JPG image, and those are going to be difficult. In order to decrypt them, you need to have different file pairs for every source of JPG images. For instance, JPG images from one camera should all need one file pair, whereas JPG images from another camera will require a different file pair.

    Share this post

    Link to post
    Share on other sites

    GT500    812

    GT500
    Posted
    10 hours ago, Ardian said:

    Invalid file pair; file pair must be at least 150KB

    That means the file you're trying to use for your file pair is too small. You'll need to pick a different file for your file pair.

    Share this post

    Link to post
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    Go To Topic Listing

    • Recently Browsing   0 members

      No registered users viewing this page.