DJVU Virus (Ransomware) - How to remove

DJVU Ransomware (also known as STOP ransomware) is a relatively new parasite family — a big group of cryptoviruses, each of which has a unique extension that they append to the name of the files that they affect. Names like .kroput, .gero, .nasoh, .dodoc, .vesad, .drume, and many others all belong to DJVU.

These viruses disable your security program and use cryptography to break any files they can. They leave behind a ransom note that asks you to send money in exchange for getting your files fixed — this is why some call ransomware “cyber extortion”: it’s criminal and, if you have an opportunity to alert cyber crime authorities in your country about this, it might be worth doing, considering that the ransomware threat seems to be growing.

The viruses are distributed through infected email attachments, non-genuine software downloads, and system vulnerabilities. Theoretically, they are dangerous to anyone — people and small businesses. However, DJVU seems to mostly harm individuals who can’t afford to pay the ransom money that the criminals ask for. That might be why this ransomware family isn’t as famous as the other ones, like GandCrab or NotPetya — the victims of DJVU don’t lose thousands of dollars of profit like businesses attacked by ransomware do. But people do lose personal photos, years of unique projects, hobbies, work files that can cost them their job, unique files that they can’t get back.

There are a lot of ways to protect oneself against ransomware, such as installing security updates as soon as possible, scanning every downloaded file before opening it, and using complex passwords to protect every account. But the single surest protection is secure file backups — even if ransomware infects your system, you can remove it and restore your data from backups.

A short description of DJVU traits and solutions:

Symptoms of a DJVU infection	Files do not open. A note called “_openme” or “_readme” is left in your folders. File names are changed, a new extension appended. Some websites are blocked. Previously installed software does not function properly. Social media accounts getting hacked.
Harm that a DJVU virus can do	The locked files being lost permanently. Online credentials being stolen. Money lost to the hackers (if you pay the ransom).
Distribution of the ransomware	File attachments and download links in spam emails. Installed thanks to poorly secured remote access software. Hidden in non-genuine, cracked, fake software available through P2P filesharing and “free” downloads. Available as fake software on spoofed download sites.
Solutions	Restore System, if possible. Remove all malware (Spyhunter, Malwarebytes). Restore the files from a backup, if possible. Use Shadow Volume Copies to restore the files, if possible. Use Data Recovery software. Run STOPDecrypter on your files.

How DJVU spreads

DJVU viruses primarily use three ways to infect computers that are described below. This might change in the future, but right now, pirated files seem to be the single most popular way for victims to get infected.

If your email provider does not scan attached files from malware, you might see emails with various “invoices”, “offers” or information about DHL/FedEx parcels that could not be delivered to your address. The headers of such emails are forged, that is they are not sent by owners of the emails they look to be from. If you open such files, your PC gets infected and thus files get encrypted. This is done in the background, as it is not an extremely fast process. In the majority of cases, the computer infected does not have up-to-date antivirus, which could prevent such infections from happening. There are many anti-ransomware tools that can detect the beginning of encryption too and block the process.

Another possibility is connecting to unprotected computer networks infected with worms. Even if this way was used by Wannacry parasite, other ransomware including DJVU use various exploits or try to brute-force passwords through network too. If you use Remote Desktop or other remote access software, don’t protect the connection from unapproved people, and have a weak username and password, then any criminals could try to connect to your computer using that connection and install malware that way.

The third possibility is the various crack sites. DJVU (for example, .tro and .churk variants, among many) are known to be distributed through KMSpico crack tool for Windows. If you install and try to crack Microsoft Office, Photoshop, and other expensive programs, you risk being infected. If you carelessly download an application but don’t notice that it’s hosted on a spoofed website, you also risk downloading a virus. If you want to avoid paying for software, it is better to use free alternatives, for example, Libre Office, Linux, etc.

How to identify DJVU malware family

The first DJVU ransom campaign was launched on mid-December 2018, and several fresh versions of this malware were launched afterward. They differ in extensions, information file, and emails for contacting the malware makers used, however, the ransom note remains mostly the same:

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.

——————————————————————————————————-

To get this software you need write on our e-mail:
…

Reserve e-mail address to contact us:
…

Your personal ID:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The first part of the email name is usually the same for both emails and once closed new version of DJVU is released with the changes in notes.

The original DJVU ransomware used the name .djvu (or versions of it) in encrypted file extensions (hence the name of the parasite family). Some different spellings exist: .djvuu, .djvuq, .udjvu, .djvut, .djvus, etc… Later versions use various other extensions like .charck.

The removal instructions are left in the file named _openme.txt or _readme.txt

How and what is encrypted by DJVU

On execution, DJVU malware contacts control server with information about the machine and download the public keys to encrypt the machine. Then it starts displaying a fake Windows Update popup to justify significant computer disk usage. Additionally, it might create a scheduled task to encrypt additional files added later on — such as every five minutes.

This malware tries to encrypt all the files one would hate to lose : documents (.doc*, .odt, etc.), images (.jpg, .png, .gif), videos (.mp4, .wma), archives (.rar, .zip, etc). It might also encrypt important files, including crypto wallet ones. This is done to force you into paying for decryption, which might cost between 500 to 1000 USD in some cryptocurrency, typically Bitcoins.

As if that wasn’t enough, new variants of DJVU install a password stealer called AZORult, which can leak data like credentials for crypto wallets, social media accounts, and online banking logins. This data can be used later to rob the victim or use their account to spread malware on social media.

Typically, ransomware like DJVU uses both symmetric and asymmetric encryption algorithms to encrypt all the files on hard drive. The files are encrypted using a machine-specific key first and fast algorithm. Afterward, the encryption key is encrypted itself using Asymmetric algorithm and sent to the malware makers. More about this can be read in Thus it is nearly impossible to recover the infected files if information about private keys has been leaked. However, sometimes malware makers make mistakes and some versions of DJVU ransomware can be decrypted.

Should you pay for DJVU decryption

Generally, you should not pay for malware makers, as it helps them create more ransomware. Some of the malware makers can decrypt a single file for free to prove that the decryption process works, so you might be able to get a single file back from the extortionists for free. Additionally, there are decryption tools that can decrypt some versions of DJVU ransomware independently of the criminals, like StopDecrypter. Note, that it won’t work for all malware of this family, or for all files of any supported type. E.g. it should handle the files named .djvu* and other older versions, but the criminals have improved their virus since then. There’s this Emsisoft decrypter. It only works for variants of Djvu that are older, does not apply for a few select variants, and it needs you to have pairs of encrypted and unencrypted files to submit. This decrypter might not work for the newer Djvu ransomware variants, like Bora and Leto, because these later variants of Djvu work differently. Still, it’s worth trying.

If you plan to pay for decryption, take care: plenty of infections include functions targeting your crypto wallets. Thus it is critical to clean your PC from keyloggers, Cryptojackers (software that hijacks transfer addresses) and banking trojans before doing any operation with your money. Backup the ransom message and scan the computer with Spyhunter or Malwarebytes.

Before doing anything to the encrypted files, create copies of the most important ones so that they aren’t accidentally corrupted. Not all creators of ransomware can decrypt files as effectively as they encrypt them; errors, technical difficulties, and miscommunication accidents plague dealings with cyber extortionists.

How to remove DJVU infection and try to recover files yourself

Note: This process will remove the DJVU infection from your PC. However, it is not always possible to recover the files without paying. Also, for ransomware, it is important to back up your machines unique key (from the ransom note) or you won’t be able to recover files if something goes wrong.

If you can’t access Downloads in this guide, I recommend checking hosts file on the infected machine using our guide and deleting unnecessary lines. Some versions of DJVU (distributed through cracks) block security-related sites to prevent removal.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Churk ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before DJVU Virus (Ransomware) has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Stopransom ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Churk ransomware. You can check other tools here.  

Step 3. Restore DJVU Virus (Ransomware) affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Stopransom ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Churk ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.