You are dealing with a new variant of STOP (Djvu) Ransomware as explained here through Amigo-A (Andre Ivanov). Since the switch to newer STOP Djvu variants (and the release of .gero), malware developers have been consistent in using 4 letter extensions.
the .djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt Where _readme.txt
Please read the first page (Post #1) of the STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Support Topic And these FAQs for a summary of this infectionthese are variants, updates and possible decryption solutions using the Emsisoft decryptor.
As it concerns new variants of STOP (Djvu) Ransomware… data decryption requires a OFFLINE ID with the corresponding private key. There is no longer an easy way to obtain a private key for many of these newer variants and no way to decrypt files if infected with ONLINE KEY without paying ransom (which is not recommended) and get the private keys of the criminals who created the ransomware. Emsisoft can only obtain a private key for OFFLINE IDs AFTER a victim has PAID the ransom, received a key, and provided it to them.
In case of infection by an ONLINE KEY, decryption is impossible without the victim’s specific private key. ONLINE KEYS are unique to each victim and randomly generated securely with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with ONLINE KEY due to the type of encryption used by criminals and the fact that there is no way to access the criminal’s command server and recover this KEY. ONLINE ID for the new STOP variants (Djvu) are Unsupported speak Emsisoft decryptor
the Emsisoft decryptor will also tell you if your files are decryptable, if you are dealing with an “old” or “new” variant of STOP/Djvu, and if your ID is ONLINE or OFFLINE.
Emsisoft has obtained and uploaded to its server OFFLINE credentials for many (but not at all) new STOP variants (Djvu) as shown in Extension #9297 and elsewhere in the support section.
** If there is no OFFLINE ID for the variant you treat, we cannot help you unless a private key is retrieved and provided to emsisoft. When and if the private key for any new variant is obtained, it will be transmitted to the Emsisoft server and automatically added to the decryptor. Subsequently, all files encrypted by the OFFLINE KEY for this variant can be recovered using the Emsisoft decryptor. For now, the only other alternative to paying the ransom is to back up/save your encrypted data as is and wait for possible future retrieval of a private key for an OFFLINE ID.
There is no timeline for when or if a private key for an OFFLINE ID will be retrieved and shared with Emsisoft and no announcement by Emsisoft when they will be. restored due to victim privacy. This means that victims should keep reading the support topic for updates or run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft was able to obtain and add the private key for the specific variant that encrypted your data.
** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you were most likely encrypted by an ONLINE KEY and these files are non-recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. If infected with an ONLINE ID, the Emsisoft decryptor will indicate this fact under the Results tab and note that the variant is impossible to decrypt.
You should post questions in the support topic above. If you have followed these instructions and need further assistance, you should always ask for help in this support topic.
Rather than having everyone with individual topics and to avoid unnecessary confusion, this topic is closed.
British Columbia staff