Posted 08 May 2021 - 05:15 PM
You are dealing with a newer variant of
STOP (Djvu) Ransomware as explained here by
Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using
4-letter extensions.
The
.djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt or _readme.txt
Please read the
first page (Post #1) of the STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Support Topic AND these
FAQs for a
summary of this infection, it's variants,
any updates and
possible decryption solutions using the
.
In regards to
new variants of STOP (Djvu) Ransomware...decryption of data requires an
OFFLINE ID with corresponding private key. There no longer is an easy method to get a private key for many of these newer variants and
no way to decrypt files if infected with an ONLINE KEY without paying the ransom (which is not recommended)
and obtaining the private keys from the criminals who created the ransomware. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them.
If infected with an ONLINE KEY, decryption is impossible without the victim’s specific private key.
ONLINE KEYS are unique for each victim and randomly generated in a secure manner with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY.
ONLINE ID's for new STOP (Djvu) variants are
not supported by the
- How to identify if infected with an OFFLINE or ONLINE KEY
The
will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
Emsisoft has obtained and uploaded to their server OFFLINE IDs for many (but not all)
of the new STOP (Djvu) variants as noted in Post #9297 and elsewhere in the support topic.
**
If there is no OFFLINE ID for the variant you are dealing with,
we cannot help you unless a private key is retrieved and provided to
. When and if the private key for any new variant is obtained it will be pushed to the Emsisoft server and automatically added to the decryptor. Thereafter, any files encrypted by the OFFLINE KEY for that variant can be recovered using the
. For now, the only other alternative to paying the ransom, is to
backup/save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE ID.
There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft and no announcement by Emsisoft when they are recovered due to victim confidentiality. That means victims should keep reading the support topic for updates or
run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft has been able to obtain and add the private key for the specific variant which encrypted your data.
** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an
ONLINE KEY and those files are
not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. If infected with an ONLINE ID, the
Emsisoft Decryptor will indicate this fact under the
Results Tab and note the variant is impossible to decrypt.
You need to post any questions in the above support topic.
If you have followed those instruction and need further assistance, then you still need to ask for help in that support topic.
If you need individual assistance ONLY with removing the malware infection, (not decryption of your data) please follow the instructions in the
Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your
FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs Forum,
NOT here, for assistance by the Malware Response Team.
Rather than have everyone with individual topics and to avoid unnecessary confusion, this topic is closed.
Thanks
The BC Staff
Jede Antwort wird geschätzt..
