Media_Repair will attempt to repair files encrypted by STOP/DJVU ransomware variants by making the non-encrypted part of the file playable again. Media_Repair does not decrypt files. Media_Repair currently supports following file types:
* reference file required
For most file types Media_Repair requires a reference file: This is an INTACT file created on the same device or using the same software. Ideally this reference file matches the settings that were used to create the ‘patient’ file as closely as possible. Media_Repair is the ONLY tool the authoritative STOP/DJVU Decrypter FAQ vets for in case decryption fails or isn’t possible.
Media_Repair can not repair all files! Video that was optimized for internet streaming (fast start) can not be repaired at this time!
Due to limited testing (I have only so much STOP/DJVU affected files), current version should be considered beta!
See bottom page for FAQ and known issues. Before asking please check if it’s about anything that is addressed in the FAQ or known issue section. Thank you!
What about JPEG?
I am asked a lot if I can add JPEG, and the answer is no. Due to how JPEG is encoded, basically data depends on previous data, automated repair isn’t possible. As the start of the JPEG data is lost, the data we do have is a continuation of this lost data. Repair is possible to some degree, but it requires the human eye. My generic JPEG Repair software can help you repair JPEGs affected by STOP/DJVU, but it’s manual process and has to be done file by file. This video shows an example repair using JPEG-Repair. JPEG-Repair is shareware (not free).
Now browse to folder containing your STOP/DJVU encrypted or the reference file. You can either use a patient file or reference file to test if this particular video type can be repaired by Media_Repair or not.
– Click to verify selected video file is candidate for repair. You can either use the reference file or a corrupt file. If Media_Repair reports it can try repairing the file it is not a guarantee the file will actually be repaired. If it can be repaired depends in several factors such as the reference file being a good match and the size of the patient file. If it tells you it can not repair the file though it’s pretty much a guarantee the repair will fail.
Once you have confirmed your video files are candidates for repair, and you have selected a reference file, browse to the folder containing the patient file(s).
This video shows a short instruction too:
These may look like open doors waiting to be kicked, but it is really the type of questions I receive. Please use common sense; if the file type requires a reference file and you don’t have one, there is nothing I can do about that.
I do not have a reference file!
I can not help with that. If affected files were shot with device X or created by software Y, try creating a reference file.
I don’t know the settings used to create the corrupt file!
Neither do I. Experiment with different settings. Create different reference files and try.
Repair fails, now what?
Probably there’s not a whole lot I can do. If you want me to look into it send me ONE corrupt file and the reference file. Also limiting myself to video repair, I have been able to repair STOP / DJVU encrypted video files using Stellar Video Repair and Digital_Video_Repair. There are some drawbacks though. Digital Video Repair repairs file by file, you can’t do batch repair. The Stellar software can batch, however it will initially fail and then prompt for a reference file. Using the reference file I was able to repair STOP/DJVU encrypted videos.
Will you support this file type in the future?
Can’t tell. As simple as the tool may look, a lot of research goes into each file type supported.
Tool says I can not repair the video created by this device! What can I do?
Let me explain the origin of this problem. A video file consists of various parts called ‘atoms’. The tool needs the ‘moov atom’ to be present in the corrupt file. This atom is like an index that is pointing to chunks of actual encoded video data. According to the MP4 specs, this atom can be anywhere within the MP4 file. If it’s close to the start of the file, which it sometimes is when the video is optimized for web streaming (fast-start) it will be encrypted by the ransomware. Media_Repair requires the moov atom and can not work with the encrypted moov atom.
If we break MP4 (and MOV, 3GP etc. also) to it’s simplest form we need an ‘ftyp atom’ (the header), an ‘mdat atom’ (the video and audio data) and a ‘moov atom’ (the index).
The moov atom contains absolute offsets to movie ‘chunks’, so while recording, what you normally see is chunks keep being added while the atom is being updated As such the moov atom keeps growing so the mdat atom would need to be moved all the time. And as the mdat is moved, the entire moov atom would require updating to reflect the move of mdat. So normally order is ftyp – mdat – moov.
However, top optimize MP4 video for the web, certain tools place the moov atom before the mdat to accommodate faster indexing of the file. So order is now ftyp – moov – mdat. Since ftyp is small, STOP/DJVU ransomware overwrites or better said, encrypts the moov atom in this case.
Part of the video / audio is missing in repaired file!
Indeed. It is missing as the encrypted portion of a file can not be recovered. So repair isn’t ideal.
Does it work if my files were encrypted with an ONLINE key?
Online key, offline, it does not matter because the software does not decrypt files. It tried to repair the non-encrypted part of the file.
Does it work with extension .abcd or .efgh (whatever extension)?
Yes. As long as it is a STOP/DJVU variant. The tool does not care about the exact variant or extension.
06/23/2020 Repair will fail with large video files. I was too focused on the method and layout of these files and testing is easier on smaller files. I simply overlooked larger files and the issues that accompany them. I am working on a fix.
Media_Repair is the result of a mutual effort
Nguyễn Vũ Hà – Research
Joep van Steen – Research, programming