Jump to content

.msop ransomware


Recommended Posts

Hello @Ramesh Vashishth,

Thank you for contacting Emsisoft Support.

That file extension belongs to the STOP/DJVU (New Variant) family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that private encryption key can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the STOP/DJVU (New Variant) family of ransomware.

General Notes With Regards to STOP/DJVU


  1. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.
  2. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
  3. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
  4. If your files have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.  Our ability to add private encryption keys for Online IDs depends entirely on law enforcement agencies arresting the criminals and releasing their database of private keys for inclusion in decryption tools.
  5. If your files have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way to generate your decryption key.  When we do get a hold of an encryption key matching an Offline ID it will be added to our database of Private Encryption Keys.
  6. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
  7. New Variant STOP/DJVU utilizes both the RSA and Salsa20 encryption algorithms.  Both RSA and Salsa20 are considered secure encryption methods and are unbreakable using current technologies. They are not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.


To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

Link to comment
Share on other sites

  • 2 weeks later...
On 3/9/2020 at 3:42 AM, Mustafa Eliaçık said:

ıs it possible that online coded files will be decoded in the future?

In theory it's possible that the private keys may some day be made publicly available, such as if law enforcement gains access to the servers operated by the criminals.

Link to comment
Share on other sites

  • 3 weeks later...
17 hours ago, Hasonline said:

When any solution is found in the future. can you publish on this site. I beleive it some day you can found a solution. 

If we do manage to get our hands on private keys for STOP/Djvu, it wouldn't be feasible for us to notify everyone about it (there are thousands of victims). My recommendation is to subscribe to BleepingComputer's newsfeed, as they will usually report on things like that.

BleepingCOmputer homepage:

BleepingComputer RSS feed:

Link to comment
Share on other sites

  • 1 month later...

Hi emisoft , 

my files are decrypted with .msop.

Could you please check and tell if there is any chance to recover it. below is the id 

Your personal ID:


Thanks in advance..

Link to comment
Share on other sites

  • 6 months later...
10 hours ago, santiago plata said:

i have been infected by stop djvu .msop ransomware virus
this is the ID: 0188yTllsdFOq4cEqSS2jkIXF3hnarlB88Jk6eFsJa5TTIqbKz

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:


Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...