A case was brought to me as JPEGs encrypted by ransomware. This article shows repair of JPEGs that fell victim of ransomware. This particular ransomware only encrypts part of the file. Due to this the JPEG header and some 150 KB of JPEG data are lost. Using a reference file and after weeding encrypted data we can repair these photos. Repairing is done file by file, this is not an automatic process where 100’s of files are repaired with a single click.
Now, as this article is not to give anyone false hope, understand that fully encrypted files can not be ‘repaired’. The only repair possible is by decrypting such files.
Update 27-01-2020: I can now confirm it also works on variant with .gesd extension encrypted files.
JPEGs encrypted by ransomware?
The customer that sent me the files told me the JPEGs can not be opened and no previews or thumbnails are visible. He suspects the JPEGs are encrypted by ransomware.
Entropy however suggests files are at least not fully encrypted. About the 150 KB of each file contains non JPEG data. I didn’t investigate IF this was actual encrypted data, but indeed some ransomware encrypts only the start of files. The rest of the data looks like JPEG data entropy-wise and byte-histogram-wise.
Now, then it does not matter if the first 150 KB was encrypted or corrupted by whatever other data, if we have a valid header from a reference file we can use JPEG-Repair and see if we can make remaining JPEG data visible again.
The encrypted portion of the data is lost. As this was only 150 KB of 6MB+ JPEG data a small strip of the photos can’t be repaired / recovered.
Only after I repaired 2 files I discovered that indeed the photos were partially encrypted by the STOP (Djvu) ransomware by using the ID-Ransomware website. I still document this case because the decryption tool does not work with all variants of the ransomeware. It may also help with other ransomware that only partially encrypts files.
Repair using JPEG-Repair involves the following:
1. Append a valid header to corrupted file. This header must match JPEG data as closely as possible. So sample file needs to be shot with the same camera with settings matching as closely as possible. After appending the header and removing invalid JPEG Markers from the encrypted / corrupt data (done automatically by JPEG-Repair) the photo can be rendered. The corrupt portion is clearly visible:
2. Remove corrupt data from file (whether it’s encrypted or some other corruption). This could be done with a hex editor if amount of corrupt data is known. If unknown it is quite easy using JPEG-Repair as it provides you with visual feedback. The more corruption we remove, the better the photo looks:
3. Post processing in photo editor. After the color looks more or less natural you can start re-aligning the image and copy it to the clipboard.
Import the clip board into your photo editor to cut remaining corrupt parts and adjust color, brightness etc.:
Can JPEG-Repair help me?
Always first check if a decryptor is available. If so it’s by far the easiest way to repair your files.
Using the ID-Ransomware tool and uploading a JPEG I was able to determine we are dealing with the STOP (Djvu) ransomware for which a decryption tool is available. This tool does however not cover all variants of the ransomware. In those cases and other cases involving partial encryption you can use JPEG-Repair for repairing JPEGs encrypted by ransomware.
Partial or full encryption?
Let’s look at the first mage in this post again (click to enlarge in new TAB):
Tell tale signs that indicate partial encryption:
- Encrypted data at the start of the file looks very different and more distorted than actual image data. It stands out from the rest of the data.
- Entropy looks like entropy for a JPEG (top left above byte histogram). A full encrypted file would display an entropy value of 8.00 bits/byte
Also, JPEG-Repair can only help recover the part of the JPEG that is not encrypted. So for a full encrypted file there is nothing it can do.
Currently known file extensions for STOP Djvu
Note that this list may be outdated as new extensions keep appearing regularly!
|.STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT,.djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad, .promorad2, .kroput, .kroput1, .charck, .pulsar1, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .browec, .norvas, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, ,vesad, .horon, .neras, .dalle, .lotep, .nusar, .litar, .truke, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, prandel, .zatrov, .masok, .ndarod, .access, .format, .brusaf, londec, .krusop, .nasoh, .nacro, .pedro, .mtogas, .coharos, .nuksus, .vesrato, .masodas, .stare, .cetori, .carote, .shariz, .gero, .hese, .geno, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .kuub, .noos, .reco, .xoza, .bora, .leto, .werd, .nols, .coot, .derp, .nakw, .toec, .mosk, .lokf, .peet, .grod, .kodg, .mbed, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .nbes, .mkos, .redl, .piny, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, rooe – Source: https://geeksadvice.com/remove-djvu-ransomware-virus/|