Ransomware attack - (.DJVUR)

[Eng_Chetan 0]

My PC got affected on 5-Jan 2019 evening with this ransomware ".DJVUR"n ad all media files (JPG, PDH, MP4, MS Office etc) got affected with change in extension. I tried everything possible to remove the Ransomware. My PC was creating lot of issues so I got it formatted and Now I am left with the encrypted files most of them is my personal photos, videos and reading material. I am looking for suitable decryptor to recover my files. Please help me to recover back my data.

Thanks in advance

[imdead 0]

me too...my PC on 5 -Jan 2019 morning got this ransomware

its  the first time i got this kind of bad virus - and some of my files encrypted with .djvur extension

specially the books and multimedia and some rar and iso

i could able to stop it by formatting my PC but i still have those files encrypted with _openme.txt note file

any idea how to decrypte the files even maybe with a tool ----i need to rescue this files

[GT500 853]

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

[imdead 0]

job done here you are sir:

https://id-ransomware.malwarehunterteam.com/identify.php?case=f267a9e1718ebfe18e19bf9956fd9b2c7a744c70

i hope you find help for us

if you need anything just ask

also ...i think this is the infected file:

http://snowfiles.com/tyubog90pdyk

be careful don't download and use this file on your PC it will destroy your data with .djvur encryption

only use it in a restricted machine-----------let me know if anything new found

Edited January 8, 2019 by GT500
Made link non-clickable.

[GT500 853]

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

[imdead 0]

20 hours ago, GT500 said:

That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?

no --it works fine .but it has some stupid ads

you must click the blue button until it stops showing ads then you can download it

also be careful a gain run it on a restricted PC or vm

[GT500 853]

1 hour ago, imdead said:

you must click the blue button until it stops showing ads then you can download it

One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.

[askkali 0]

https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Edited January 10, 2019 by GT500
Made link non-clickable.

[GT500 853]

15 hours ago, askkali said:

https://monova.to/0493A0CC721FD6BA5505AA3818068E3E9E6610B1

 

i found djuvr from here.

Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.

[infecteddjvur 0]

hi,

 

is there any update on this ransomware .djvur? anyway to decrypt the file?

 

[infecteddjvur 0]

i have uploaded a sample file 

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=d32adb657034fd2e416b4b7f28aa7d5fcd9d69bc

[GT500 853]

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

[imdead 0]

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

[GT500 853]

2 hours ago, imdead said:

if any one has an infected setup file or .exe file with this kind of ransom **** share it with us here or paste the link

I'm proud to check it

We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.

[nemo74 0]

On ‎1‎/‎15‎/‎2019 at 1:15 AM, GT500 said:

It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935

Thanx for this info.. I have now sent him my info

[GT500 853]

Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).

[Bikash586 0]

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

[imdead 0]

8 hours ago, Bikash586 said:

Hi ,

My PC got infected  with DJVUT extension  is there any solution to get rid of it . Since I formatted  my PC   I am left with with  this extension . Hope I will get  help from this site.

01 - Track.MP3.djvut

_openme.txt

i think it is another variant of stop ransomware but this topic about djvur only

hmmm.if they found a way to break djvur then that might work with your too-----be patient

[GT500 853]

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

[imdead 0]

12 hours ago, GT500 said:

Michael Gillespie made a decrypter for this ransomware, however please note that it only works if the ransomware was unable to contact its Command and Control servers when it encrypted your files. A detailed explanation (including a download) is available at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165

it doesn't work for me... Unfortunately it doesn't accept my id

how to send my id to him...maybe he  found a key for me

[GT500 853]

You can contact Michael privately on BleepingComputer, Twitter, or on our forums:
https://www.bleepingcomputer.com/forums/u/726225/demonslay335/
https://twitter.com/demonslay335
https://support.emsisoft.com/profile/44427-demonslay335/

[imdead 0]

20 hours ago, GT500 said:

You can contact Michael privately on BleepingComputer, Twitter, or on our forums:
https://www.bleepingcomputer.com/forums/u/726225/demonslay335/
https://twitter.com/demonslay335
https://support.emsisoft.com/profile/44427-demonslay335/

yes-- i send him samples....may be he will find a solution

[washingtonbg 0]

Boa tarde tive meu computador infectado por um vírus ransomware Djvu que infectou meu HD escravo e criptografando ele todo, onde tem  nele documentos e fotos de minha esposa e familiares ja falecido e programas de uso pessoal de trabalho. Baixei o Emisoft Security Center pois em outros sites me disseram que aqui resolveria meu problema.

A unidade C: tive que formatar pois estava dando tela azul erro de pilhagem de memória.

Desde já agradeço por me ajudarem pois isso veio depois que meu sobrinho instalou programa para jogos online

Este vírus criou vários arquivos ( _openme.txt) e extensões (.tfudeq) no qual achei que perdi tudo até chegar aqui. No bloco de texto _openme.txt segue isso

 

---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://files.danwin1210.me/uploads/01-2019/Decrypt%20Software%20Overview.avi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

---------------------------------------------------------------------------------------------------------------------------

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0256se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

 

PQAAAAE_4QklfD5E6VOWjQqFXXTewMZ6zHF7lnUYUkQjleC4PWDZZWejOAXsDiyAs08oI_iywHhMa5mQ1DgwFl3z9isAm1T1UKd2WeEZ7WakI0nCUNYutCwnBEbN.jpg.tfudeq

_openme.txt

eu e mozão.jpg.tfudeq

[GT500 853]

@washingtonbg If you don't know English, then feel free to run this through Google Translate or Bing Translator:
https://translate.google.com/
https://www.bing.com/translator

If the ransomware was unable to contact its Command and Control servers when your files were encrypted, then it is possible to recover the files with Michael Gillespie's STOP decrypter. There is more information at the following links:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-21#entry4667165
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-23#entry4668025

Please be sure to read those carefully before trying the decryption tool.

[ren 0]

 

 

Hi GT500,

 

Here is my sample infected file by djvur.

https://www.mediafire.com/file/patwxtnkw7i5ihn/_DSC1088.JPG.djvur/file

Thanks.

[GT500 853]

@ren normally I would recommend uploading a copy of the ransom note and an encrypted file to ID Ransomware in order to verify which ransomware you're dealing with, however I would believe that the "djvur" extension was only used by one of the Djvu variants of the STOP ransomware. Go ahead and following the instructions in this post to download and run STOPDecrypter to see if it can decrypt your files. If it can't find a key for you, then it will tell you your ID and MAC, which you can paste in a reply and I can forward to Michael Gillespie (the creator of STOPDecrypter) so that he can archive your information in case he is able to figure out your decryption key at some point in the future.

[ren 0]

 

Hi GT500,

 

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

 

Thanks a lot..

[GT500 853]

5 hours ago, ren said:

Hi GT500,

Hope you could help me my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Thanks a lot..

We would need the MAC addresses of the network devices on the infected computer as well. There's a batch file that can get them for you. Just download and open the ZIP archive at the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

After opening it, a folder will appear with a file named Get_MAC_Addresses. Just double-click on that file, and a black window will appear and disappear. Once that black window disappears, you will have a new file on your Desktop called MAC_Addresses. Just attach that "MAC_Addresses" file to a reply.

BTW: If you were using some sort of mobile WiFi/mobile broadband connection when your files were encrypted, then make sure it is at least connected to the computer when you run the "Get_MAC_Addresses" batch file.

[ren 0]

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

[ren 0]

MAC_Address_Batch_File.zip

[GT500 853]

5 minutes ago, ren said:

Here it is MAC: 30:9C:23:0D:68:F7

Thanks

Only one MAC address? If you have more than one network adapter, and that's the wrong MAC address, then it more than likely won't be possible to figure out your decryption key.

Admittedly it's late enough that the odds of being able to figure out the decryption key are low to begin with, however there's still a small chance as long as we have the correct MAC address.

[ren 0]

 

I just reformatted my computer. Here it is, I tried it again.

Here it is MAC: 30:9C:23:0D:68:F7

my ID is 429OJXo8eV4ZIVr46lS1dPYqAvAG5iV9l4X41mdg

Get_MAC_Addresses.7z

 

Thanks a lot.

[GT500 853]

MAC addresses of network adapters don't change after reformatting, so that MAC address is the same as the one you sent before.

Did you run the batch file? You keep attaching the batch file to your replies, and not the "MAC_Addresses" file it saves on your Desktop.

[ren 0]

Yes I run the Get MAC address you sent me. It just opens then closes after.

 

 

[ren 0]

 

Here it is. from the notepad sir.

 

Connection Name Network Adapter Physical Address    Transport Name                                            
=============== =============== =================== ==========================================================
Ethernet        Realtek PCIe GB 30-9C-23-0D-68-F7   \Device\Tcpip_{1D4A9C9D-AD18-45DE-9A68-40F3D31B26E5}      
 

 

Thanks.

[GT500 853]

OK, thanks. I already sent your information to the creator of STOPDecrypter, so he's archived it in case he's able to figure out your decryption key in the future.

[GT500 853]

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

[mim 0]

My system got hacked.(.djvur) , what should i do to rescue my data
Please help me if there is a way to decrypt the files..
Thank you!

use to software
STOPDecrypter
[*] ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC (.djvur )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:24:1D:D1:EC:60
This info has also been logged to STOPDecrypter-log.txt
and
use to software
Emsisoft
Starting…

File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: FFD8FFE000

[GT500 853]

1 hour ago, mim said:

File: F:\parsa\09eaf3b6-dbcf-42ee-bdd0-5a244d16ee89.jpg.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: FFD8FFE000

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

[mim 0]

On 4/9/2020 at 2:08 AM, mim said:

On 4/9/2020 at 3:49 AM, GT500 said:

 

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Hello . I upload the file pair via online submission. now
How to decrypt files؟

The answer is as follows:

Your file pair for ".JPG" files was processed.

Please note this will only allow the tool to decrypt files that match the following criteria:

• • Starts with the bytes: FFD8FFE169
• • Were encrypted with ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC

[GT500 853]

14 hours ago, mim said:

How to decrypt files؟

After uploading file pairs, just run the decrypter again, and it will use the keystream generated from your file pair to decrypt any files that have the same first 5 bytes:
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

[mim 0]

Hi, thank you for your guidance, but when I use the software  Emsisoft The answer is as follows:

Starting

File: F:\Camera\VID_20160427_185716.mp4.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: 0000001866

Edited April 15, 2020 by GT500
Removed empty quote.

[GT500 853]

18 hours ago, mim said:

File: F:\Camera\VID_20160427_185716.mp4.djvur
Unable to decrypt Old Variant ID: w5rW7tzhatWr9HBqR1hAR4YH5MEHskxZpZVxsvPC
First 5 bytes: 0000001866

That means you need to upload file pairs for that type of file.

When you upload a file pair, the decrypter can only decrypt other files that have the same first 5 bytes as the file you used for your file pair. Normally this means all files of the same type (such as all MP4 files or all ZIP archives), however there are some exceptions to this where not all files of the same type will begin with the same 5 bytes (JPEG/JPG images and TXT files are good examples).

[mim 0]

I'm sorry, whatever I do, the passwords will not be lost. Please check this example. ThankDSC_0030.JPG.djvur

[mim 0]

This is the software response

22.txt

[Ardian 0]

Hi! All my file in laptop does not open and  all the documents and image name take ".mpaj" in the end of name befor infected. 

I use this adress https://decrypter.emsisoft.com/submit/stopdjvu/    , but show me  Invalid file pair; file pair must be at least 150KB

I appreciate if you help.

[GT500 853]

10 hours ago, mim said:

I'm sorry, whatever I do, the passwords will not be lost. Please check this example. ThankDSC_0030.JPG.djvur

That's a JPG image, and those are going to be difficult. In order to decrypt them, you need to have different file pairs for every source of JPG images. For instance, JPG images from one camera should all need one file pair, whereas JPG images from another camera will require a different file pair.

[GT500 853]

10 hours ago, Ardian said:

Invalid file pair; file pair must be at least 150KB

That means the file you're trying to use for your file pair is too small. You'll need to pick a different file for your file pair.