As most ransomware STOP/DJVU encrypts files to make them inaccessible. After you pay the ransom (in bitcoins), the attackers send the tools and information needed to decrypt your files and make them accessible again. The encryption is very hard to ‘break’ but ransomware researcher every now and then have success creating decryption software. Some time decryption keys ‘leak’ or the malware researchers are able to find weak spots in the ransomware which they can exploit.
Encrypting files takes time. The larger a file is, the more time is needed to encrypt it. However to be able to spread more rapidly, STOP/DJVU opts to encrypt only a portion of each file. Partial encryption allows the ransomware to attack your system faster.
My files are encrypted by ransomware, now what?
This page will not help you get rid of ransomware, the focus is getting data back or making data accessible. To find out how to get rid of ransomware, the various AV software vendors offer explanations and tool that for that.
To try and recover data it’s not necessary or even desirable to change anything on on the drive the encrypted data is on. Ideally you attach the drive to a clean system, and refrain from running/executing anything from the patient drive.
Ideally you treat this as a data recovery type scenario. This implies you first create a sector by sector copy or disk image of the patient drive.
With regards to recovery: Concentrate on user files and data: Your documents, photos and videos etc.. The operating system and software can be reinstalled so there’s no use in decrypting or trying to recover those.
Ideally a decryptor is available
To find out which ransomware you’re dealing with, and IF a decryptor is available I suggest using this website: https://id-ransomware.malwarehunterteam.com/. Upload a sample and the website will try to determine the precise ransomware and if a a decryptor is available it will point you to it. IMO, the decryptors pointed to by this website are the only ones you should trust!
Do NOT trust any decryption software or services as for example offered in FaceBook ransomware support groups or in other forums. All the ones I checked out were scams!
Typical shills for scammers that claim they can help decrypt ransomware files. In fact when I contacted the scammer, most of the people advertising him, was the scammer himself, using exact same scripted answers.
No decryptor, what are my options?
- Wait. First thing you can do is keep the drive containing the encrypted data in a safe place and wait for a decryptor to become available. There is however no guarantee this will ever happen.
- Shadow copies. Note than most ‘modern’ ransomware will erase those but it’s still worth a try. Use for example: https://www.nirsoft.net/utils/shadow_copy_view.html. Note about the Nirsoft website: Tools on this website may trigger your AV software. I’m 100% certain these are false positives. Read https://www.nirsoft.net/false_positive_report.html for more more info. The same happens to my own tools frequently too.
- File Recovery. Ransomware frequently operates like this: Open original file and read contents > encrypt data > save encrypted data to new file > delete original file. So this means the deleted file is potentially recoverable. Examples of file recovery tools used by professional data recovery technicians are ReclaiMe, R-Studio, UFS Explorer and DMDE. ReclaiMe is probably easiest to use, DMDE the most affordable one.
- File Repair. As STOP/DJVU variants in particular only encrypt part of the file, some file types allow for repair partial repair. My own software JPEG Repair can repair JPEGs, extract JPEGs from RAW files, some example repairs here: https://www.youtube.com/playlist?list=PLSL85pYTZnmvSGGzl-FujiVaV2-aohEoI. I am working on a utility that can repair various file types myself. Also I have been able to repair STOP / DJVU encrypted video files using Stellar Video Repair and Digital_Video_Repair.
Small scale research on recoverability of original, non-encrypted, deleted files (method 3). Method 1 = decryption, method 2 = shadow copies
Will Media Repair be up and running again