Lucky day for all DJVU ransomware victims – free decryption is availableDecryption rulesBeware of the Azorult Trojan bundled with the ransomwareDecryptable versions list

According to Emsisoft, the ransomware encryption was broken by attacking the keystream using side-channel. To clarify, it is the first-ever used method to break ransomware encryption and help victims recover their files on a global scale. The security firm forecasts that STOP Decryption tool will help approximately 70% of ransomware victims restore their files for free. Unfortunately, for the remaining 12 variants of the ransomware (which mostly emerged at the end of August 2019), no decryption solutions are found. Victims of these versions are advised to backup their files and wait. Emsisoft reports that there are 116,000 confirmed DJVU ransomware victims and it is believed that the real number of victims is nearly half a million.

Decryption rules

STOP/DJVU Decryptor can recover files using OFFLINE keys obtained by the malware researchers, or using encrypted+original file pairs submitted to Emsisoft’s server. In addition, these files must be over 150KB. Unfortunately, ransomware variants which were pushed at the end of August 2019 (the new variants) cannot be decrypted at a time. Victims of these versions should backup the encoded data and hope for the best.

Beware of the Azorult Trojan bundled with the ransomware

This ransomware strain is known to bundle Azorult Trojan alongside it, which, once installed on the target system, starts stealing private data from the computer. Data that it steals mainly consists of logins, passwords, and other private information. It can be later used to empty victim’s bank accounts or be sold on the dark web. Victims infected by STOP variants such as Bora, Reco, Noos, Nesa and others should first remove DJVU ransomware along with Azorult password-stealing trojan and then focus on data decryption.

Decryptable versions list

STOP/DJVU Decryptor can restore files locked by OFFLINE keys, and, if you’re lucky, ONLINE keys too. Check the extensions list below for all supported ransomware extensions. .bora, .reco, .kuub, noos, .nesa, .karl, .kvag, .moka, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .godes, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovat, .roland, .refols, .grovas, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .rezuc, .stone, .skymap, .mogera, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .herad, .berosuce, .lokas, .budak, .vusad, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .puma, .pumax, .pumas, .DATAWAIT, .INFOWAIT. If you are one of the people who were hit by this malicious file-encrypting virus, check the guide on how to decrypt STOP/DJVU encrypted files.