Media_Repair, file repair for STOP/DJVU (MP3, MP4, 3GP)

Media_Repair description

This is the best. very small in size but delivers better than Wondershare video repair or Stellar video repair. Thank you very much. – Youtube

Freeware video repair / audio repair. Media_Repair will attempt to repair files encrypted by STOP/DJVU ransomware variants by making the non-encrypted part of the file playable again. Media_Repair does not decrypt files. Media_Repair currently supports following video and audio file types:

  • WAV*
  • MP3
  • MP4*
  • M4V*
  • MOV*
  • 3GP*

* reference file required

For most file types Media_Repair requires a reference file: This is an INTACT file created on the same device or using the same software. Ideally this reference file matches the settings that were used to create the ‘patient’ file as closely as possible. Media_Repair is the ONLY tool the authoritative STOP/DJVU Decrypter FAQ vets for in case decryption fails or isn’t possible.

Media_Repair can not repair all files! Video that was optimized for internet streaming (fast start) can not be repaired at this time!

Due to limited testing (I have only so many STOP/DJVU affected files), current version should be considered beta!

See bottom page for FAQ and known issues. Before asking please check if it’s about anything that is addressed in the FAQ or known issue section. Thank you!

What about JPEG?

I am asked a lot if I can add JPEG, and the answer is no. Due to how JPEG is encoded, basically data depends on previous data, automated repair isn’t possible. As the start of the JPEG data is lost, the data we do have is a continuation of this lost data. Repair is possible to some degree, but it requires the human eye. My generic JPEG Repair software can help you repair JPEGs affected by STOP/DJVU, but it’s manual process and has to be done file by file. Example repair using JPEG-Repair. JPEG-Repair is shareware (not free):

Alternatively you can scan the drive using JpegDigger. STOP/DJVU (all variants) open victim file > encrypt data > save encrypted data to new file > delete original file. Depending on specific circumstances some of those original files may be recoverable. JpegDigger users reported success rates upto 20-30% of original JPEGs recovered. JpegDigger also scans for NEF (Nikon), CR2 (Canon), ORF (Olympus), RW2 (Panasonic-Lumix), ARW (Sony), DNG (from a Leica Q2), Canon CR3 and Fuji RAF and extracts JPEGs from them. The RAW photos, seen their size have a high chance of being at least partially overwritten so recovery of the entire original file is very unlikely.

Using Media_Repair

Use drop down box to select a file type.

Now browse to folder containing your STOP/DJVU encrypted or the reference file. You can either use a patient file or reference file to test if this particular video type can be repaired by Media_Repair or not.

Click to verify selected video file is candidate for repair. You can either use the reference file or a corrupt file. If Media_Repair reports it can try repairing the file it is not a guarantee the file will actually be repaired. If it can be repaired depends in several factors such as the reference file being a good match and the size of the patient file. If it tells you it can not repair the file though it’s pretty much a guarantee the repair will fail.

In case Media_Repair tells you “I can not repair this file”, I may still be able to repair your video manually but this is not a free service.

Click to make the currently selected file, reference file that will be used to repair affected file(s).

Once you have confirmed your video files are candidates for repair, and you have selected a reference file, browse to the folder containing the patient file(s).

Click to start repair.

Click to cancel repair.

This video shows a short instruction too:

F.A.Q.

These may look like open doors waiting to be kicked, but it is really the type of questions I receive. Please use common sense; if the file type requires a reference file and you don’t have one, there is nothing I can do about that.

It does not work! Are there alternatives?

Yes, though not free. I have had luck with repairing various videos using Wondershare Video Repair. It is NOT free but the trial can play 30 seconds of video if successfully repaired. You can download the trial version here. In my tests it went like this:

  • First you need to rename the encrypted files. If your encypted file’s name is for example myvideo.mp4.lokd then you need to remove the ‘lokd’ extension.
  • First attempt will fail but the tool now allows you to select a reference file.
  • Pick an intact video shot with the same camera. If you need to repair more videos from the same camera tick the box ‘use this for all files’.
  • Repair the videos. Trial allows you to play the first 30 seconds to check the repaired file.

I do not have a reference file!

I can not help with that. If affected files were shot with device X or created by software Y, try creating a reference file.

I don’t know the settings used to create the corrupt file!

Neither do I. Experiment with different settings. Create different reference files and try.

Repair fails, now what?

Probably there’s not a whole lot I can do. If you want me to look into it send me ONE corrupt file and the reference file. Also limiting myself to video repair, I have been able to repair STOP / DJVU encrypted video files using Stellar Video Repair and Digital_Video_Repair. There are some drawbacks though. Digital Video Repair repairs file by file, you can’t do batch repair. The Stellar software can batch, however it will initially fail and then prompt for a reference file. Using the reference file I was able to repair STOP/DJVU encrypted videos.

Will you support this file type in the future?

Can’t tell. As simple as the tool may look, a lot of research goes into each file type supported.

Tool says I can not repair the video created by this device! What can I do?

Let me explain the origin of this problem. A video file consists of various parts called ‘atoms’. The tool needs the ‘moov atom’ to be present in the corrupt file. This atom is like an index that is pointing to chunks of actual encoded video data. According to the MP4 specs, this atom can be anywhere within the MP4 file. If it’s close to the start of the file, which it sometimes is when the video is optimized for web streaming (fast-start) it will be encrypted by the ransomware. Media_Repair requires the moov atom and can not work with the encrypted moov atom.

If we break MP4 (and MOV, 3GP etc. also) into it’s simplest form we need an ‘ftyp atom’ (the header), an ‘mdat atom’ (the video and audio data) and a ‘moov atom’ (the index).

The moov atom contains absolute offsets to movie ‘chunks’, so while recording, what you normally see is chunks keep being added while the atom is being updated As such the moov atom keeps growing so the mdat atom would need to be moved all the time. And as the mdat is moved, the entire moov atom would require updating to reflect the move of mdat. So normally order is ftyp – mdat – moov.

However, to optimize MP4 video for the web, certain tools place the moov atom before the mdat to accommodate faster indexing of the file. So order is now ftyp – moov – mdat. Since ftyp is small, STOP/DJVU ransomware overwrites or better said, encrypts the moov atom in this case.

Bottom line is, that Media_Repair can not repair these. No use in sending these to me, unless you want me to repair them manually. In which case I will quote you a price per file.

Part of the video / audio is missing in repaired file!

Indeed. It is missing as the encrypted portion of a file can not be recovered. So repair isn’t ideal.

Does it work if my files were encrypted with an ONLINE key?

Online key, offline, it does not matter because the software does not decrypt files. It tries to repair the non-encrypted part of the file. The key is only relevant for decryption, it’s about the location of the key. Again, Media_Repair does not decrypt the file, so it does not need this key and doesn’t care whether it is online or offline.

Does it work with extension .abcd or .efgh (whatever extension)?

Yes. As long as it is a STOP/DJVU variant. The tool does not care about the exact variant or extension. Do not ask me if you have some newly discovered .abcd extension, just try it.

 

Known issues

06/23/2020 Repair will fail with large video files. I was too focused on the method and layout of these files and testing is easier on smaller files. I simply overlooked larger files and the issues that accompany them. I am working on a fix.

Acknowledgements

Media_Repair is the result of a mutual effort

Nguyễn Vũ Hà – Research
Joep van Steen – Research, programming

 

34 thoughts on “Media_Repair, file repair for STOP/DJVU (MP3, MP4, 3GP)

  1. Hien

    vạnhien771354@gmail.com
    Hi all, I decrypt extension .eiur with file .mp3 is ok, how can I know what algorithm DJVU using for another file .doc, or pdf, excel …. Can you share it ??
    I want to decrypt other file ex: . doc, excel v.vv….

    Reply
    1. Joep Post author

      Media_Repair does not decrypt, it makes non encrypted part playable. The ‘algorithm’ of this ransomware is simple, it only encrypts first 150 KB of a file.

      Reply
    1. Joep Post author

      No idea. I’d need to see, if you could share a corrupt + an intact one with me.

      Reply
  2. mansour

    bonjour a tous
    j’ai été frapper par le virus .rigd
    ma clé ID ne se termine pas par t1
    j’ai des fichiers flac jpeg act…… qui sont cryptés par l’extension .rigd
    je pense que j’ai été frapper par le virus rigd en ligne
    s’il vous plait comment faire
    merci

    Reply
  3. Longman

    even if the test said failed ,i went on to try and it worked on my mp3s, thanks bro, YOU ARE THE GOAT!

    Reply
    1. Joep Post author

      Yes, sorry, test only works for MP4 and other similarly structured files too I think (3GP, MOV, M4V).

      Reply
  4. Edison

    Hi joep , I have tried and recovered some of mp3 files. Media_repair is an amazing tool. Thanks you very much.
    If there is a solution to recover “.mkv” file (which is a video file ) and “.blend” file ( blender file) it would be really great.
    Thanks a ton. Really appreciate the effort you put in for the “Media_repair”.

    Reply
    1. Joep Post author

      I have never studies those files therefor don’t know if it’s even possible. Thing is, compressed video data or JPEG data turns out to be usable, viewable and playable even if we have only part of the data. I think this does not go for simply any file type. Then if we determine partial data is still useful, we need to study the header and learn how we glue a valid header and partial data together. If you find that something like WonderShare video repair can do this for MKV files, probably I can add it too.

      Reply
  5. maka

    Thank you a lot for providing this tool. It has lessened the extent of loss i have encountered due to this horrible ransomware. I have recovered my mp3 files. However i also have a huge chunk of m4a audio files recorded with my phone. Is there any chance that i can repair those in future using this tool?

    Reply
    1. Joep Post author

      If I am not mistaken they have similar structure as MP4. If you can send me one or 2 + an intact reference file I can look into it.

      Reply
      1. maka

        Hie Joep. I’ve put a link below to the infected m4a files and two intact reference files. I hope it will do. I researched a bit on how mp4 files can be repaired, manually, and it worked for some video files i had recently downloaded but it didn’t work for some playlists. Your article describing the structure of mp4 files, the header files and moov atom making up the mp4 file format really gave me a headache, casts doubts on ever repairing the remaining videos. The method I was using was to download part files of the videos using ‘youtube dl’ – I later realised that the same file has a different size and possibly codecs if I used other downloaders like IDM or YTD. I remember using YTD to download some playlists but when I tried downloading the same playlist again, the file sizes had changed. I tried using a part file of a files that I downloaded recently to repair a video of the same name I downloaded years ago – it did not work, probably because of codec mismatch. My problem now is, will I be able to fix my videos? How will I know which codecs were used for those old videos? Even if I do, will that get me anywhere? My tutorials are more than 50GB, can’t afford to re-download, because I was using school wifi back then? I’m stuck.

        https://drive.google.com/drive/folders/1wDlyGzEPKE5vW2dZ1u6rfsu4y5Oi738S?usp=sharing

        Reply
  6. walterjunior

    ola my aquivos were encrypted with the extension .cuag know if there is a way to decrypt ?
    todos os meus arquivos foram renomeador e cripitografados por .cuag

    Reply
    1. Joep Post author

      Hello,

      Well, did you read any of the info on this page? Did you try the tools it refers to?

      Reply
  7. datnguyen8128

    Hello,
    I was struck by the .miia variant 4 days ago and the tool worked really well when I try to repair my small Windows Phone MP4s but failed to repair larger files (presumably >500MB but some of them were still repaired). Is there any fix out for this yet? Also JPEG-Repair didn’t work at all when I try to repair my jpegs with the reference file taken from the same camera. It can’t output any bitmap file. I will send those files if necessary.

    Reply
    1. Joep Post author

      Media_Repair will fail on larger files. Commercial tools like WonderShare Video Repair or Stellar Video Repair may be able to help (repair will fail initially, you can then add a reference fie. Worked on files I tried).

      JPEG Repair demo may not work depending on how many file reloads are needed.

      Reply
  8. allan

    hey the tool worked very well i would like if there is one that can help with excel and word document files i was attacked with a “.iisa”

    Reply
    1. Joep Post author

      Hello,

      No sorry. Since XLSX is wrapped in a ZIP container I have read about people having had some luck using 7ZIP, but I am not aware of exact procedure. Seems to me you’d have to glue on a valid ‘ZIP header’ first.

      Reply
  9. saeed

    Hello
    Is there any program like Media_Repair for PDF files and .txt files (made by Notepad) that you know about? for repairing PDF and .txt files that was decrypted by STOP(DJVU) ransomware and the variant lisa (extension added .iisa).
    I really appreciate it if you could help me find a repair tool for these two file types or give me instructions to repair them. I removed the .iisa extension and simply tried to open them with PDF readers and Notepad, But sadly it didn’t work. If you need additional info, just tell me.
    thanks

    Reply
    1. Joep Post author

      You mean ZIP? I can see, send me a at least 1 MB sized corrupt file and one healthy one that’s zipped with the same tool.

      Reply

Leave a Reply to Hien Cancel reply

Your email address will not be published.