Emsisoft releases new decryptor for STOP Djvu ransomware

STOP Djvu Decryptor

While STOP (Djvu) may not be as well known as Ryuk and Sodinokibi, with 160 variants, more than 116,000 confirmed victims and an estimated total of 460,000 victims, it is by far the most active and widespread ransomware today. But there’s good news. We’ve just released a free decryption tool for it.

We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.

STOP is spread almost exclusively through key generators and cracks, which are tools that claim to enable people to activate paid software for free. Children and cash-strapped students commonly seek out these types of tools, which puts them at greater risk of encountering STOP and, by extension, their parents and anyone else who shares a device with them.

To make matters worse, some versions of STOP also bundle additional malware, such as password-stealing Trojans.

STOP djvu ID Ransomware submission heatmap

STOP Djvu ID Ransomware submission heatmap

 

Our free decryption tool helps victims to unlock their files without paying the ransom, and can be downloaded from the Emsisoft Decryption Tools page linked below.

Unfortunately, this tool will not work for every victim as it can only recover files encrypted by 148 of the 160 variants. We estimate that this will enable approximately 70% of victims to recover their data. For people affected by the remaining 12 variants, no solution currently exists and we are unable to offer further assistance at this point in time. We recommend that those who find themselves in this position archive the encrypted data in case a solution becomes available in the future.

Download the STOP Djvu Decryptor here

Emsisoft Decryptor for STOP Djvu

Emsisoft Decryptor for STOP Djvu

Note: A decryptor for STOP Puma is also available here

STOP ransomware variants

The STOP ransomware family covers over 160 currently known versions, with four main variants. Each variant has differing levels of decryptability:

Latest statistics

The data in our latest Ransomware Statistics report for Q2 and Q3 2019 shows that STOP accounts for more than half of all the ransomware submissions throughout the world.

top 10 ransomware

Top 10 ransomware submissions to ID Ransomware for Q2 & Q3 2019

 

Indonesia, India and the USA top the list of the most ransomware submissions and account for almost half of all submissions. Incidentally, Indonesia has one of the highest rates of software piracy in the world.

top 10 countries ransomware

Top 10 sources of ransomware submissions to ID Ransomware

 

The spread of STOP

STOP has spread rapidly the past year. In October 2018, it took the top spot and accounted for 54.3 percent of the top five ransomware strains detected by ID Ransomware. By October 2019, it retains its top spot and now accounts for 70.7 percent of the top five detections in the past 60 days (from the time of publication of this post).

STOP Djvu detection - Past 60 days to date

STOP Djvu detection – Past 60 days (at the time of publication)

STOP Djvu detection - Past year (at the time of publication)

STOP Djvu detection – Past year (at the time of publication)

 

Detections throughout the globe

STOP Djvu detection heatmap

STOP Djvu detection heatmap

STOP Djvu detection heatmap closer look

STOP Djvu detection heatmap closer look: Europe, Middle East, Africa and Asia

Technical details

STOP encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames; for example, “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The ransom note “_readme.txt” contains the following text:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-sTWdbjk1AY
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
[redacted]

Successful decryption of STOP Djvu with the use of the Emsisoft STO Djvu decryptor

Successful decryption of files locked by STOP Djvu using the Emsisoft STOP Djvu decryptor

Community collaboration

Efforts to help STOP victims have truly been a community collaboration! The good people at Bleeping Computer, for one, have helped numerous STOP victims by guiding them through the decryption process, supplying offline keys and samples and more.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Because of the very large number of people affected by STOP, we’re unable to provide one-on-one support for this tool. If you need help using the decryptor, please visit the STOP support topic at Bleeping Computer. The community members will be happy to provide assistance and we offer big, big thanks for their help.

Download the STOP Djvu Decryptor here

And a decryptor for STOP Puma is also available here

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next