N
The Daily Insight

How to Decrypt Files Locked by STOP/DJVU Ransomware

Author

Matthew Alvarez

Updated on May 05, 2026

STOP/DJVU Ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames; for example, “.wrui”, “.pcqq”, “.ytbn”, “.nusm”, “.ehiz“, “.xcmb” etc.

The ransom note “_readme.txt” contains the following text:

ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note!

You need to delete the malware from your PC first of all, otherwise, it will lock your device or cipher your data several times. In case your current anti-virus tool does not delete this malware, it can be deleted with the help of GridinSoft Anti-Malware.

In case your system was infected using the Windows Remote Desktop function, we also strongly advise that you change all the passwords of all available users that are permitted to log in on a remote basis and inspect the local user accounts for the availability of other extra accounts that the online frauds could possibly generate.
Also Read: 15 Reasons to Choose Gridinsoft Anti-malware

Warning: This application needs to be connected to the web while active to get the decryption guidelines from the server.

Updated 19 August 2021

The offline/private key for the .moqs variant of the STOP ransomware was added to the Emsisoft server.

Updated 12 Jule 2021

The .omfl, .geno, .nile .maas variants offline key was recovered by Emsisoft.

Updated 02 Jule 2021

The .sspq, .iqll, .ddsg variants offline key was recovered by Emsisoft. Any victims of these 3 variants that had files encrypted by the offline key can recover their files.

Updated 31 May 2020

The .covm variant offline key was recovered by Emsisoft and added to the Emsisoft Decryptor server.

Updated 01 May 2020

Emsisoft has announced that the offline keys for .opqz, .nppp and .npsk have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 06 Feb 2020

Emsisoft has announced that the offline keys for .alka and .repp have been recovered and uploaded to the Emsisoft Decryptor server.

Updated 20 Jan 2020

Emsisoft Decryptor has obtained and uploaded to server new OFFLINE KEYS for the .nbes, .mkos STOP (Djvu) variant ransomware.

Updated 06 Jan 2020

List of the New Stop/Djvu variants for 148 variants that Emsisoft can decrypt.

.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote

Updated 02 Dec 2019

List of the New Stop/Djvu variants that Emsisoft can decrypt. FOR OFFLINE KEY ONLY!

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk

Updated 25 Nov 2019

Emsisoft Decryptor has obtained and uploaded to server OFFLINE KEYS for the following new STOP (Djvu) variant:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .mosk, .lokf, .peet, .mbed, .kodg

Updated 9 Nov 2019

Decryptor v.1.0.0.1 by Emsisoft currently can decrypt NEW Stop/Djvu variant with file extension:

.gero, .hese, .seto, .peta, .moka, .meds, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora, .coot, .derp

Terms: Files encrypted with OFFLINE KEY.

There are certain limitations regarding what files can be restored. Speaking of all versions of STOP Djvu, you can properly decrypt the information if they were ciphered through an offline key available with the developers of the Emsisoft Decryptor. As for Old Djvu, the files can also be decrypted using encrypted/original file pairs provided to the STOP Djvu Submission portal. Keep in mind that this does not apply to New Djvu that was elaborated after August 2019.

What is a “file pair”?

This is pair of files that are identical (as in they are the precise same data), except one duplicate, is encrypted, and the other is not. STOP Djvu Submission portal can analyze the differences between an encrypted file and an original copy of the same file, allowing it to determine how to decrypt that file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way to get their files back.

How to restore your files?

  1. Start downloading the decryption tool">1 through the same website that developed this “How To” guide.
  2. Make sure to launch the decryption utility as an administrator. You need to agree with the license terms that will come up. For this purpose, click on the “Yes” button:Emsisoft Decryptor - license terms
  3. As soon as you accept the license terms, the main decryptor user interface comes up:Emsisoft Decryptor - user interface
  4. Based on the default settings, the decryptor will automatically populate the available locations to decrypt the currently available drives (the connected ones), including the network drives. Extra (optional) locations can be selected with the help of the “Add” button.
  5. Decryptors normally suggest several options considering the specific malware family. The currently possible options are presented in the Options tab and can be activated or deactivated there. You may locate a detailed list of the currently active Options below.
  6. As soon as you add all the desired locations for decryption into the list, click on the “Decrypt” button to initiate the decryption procedure. Note that the main screen may turn you to a status view, letting you know of the active process and the decryption statistics of your data:Emsisoft Decryptor - the decryption statistics
  7. The decryptor will notify you as soon as the decryption procedure is completed. If you need the report for your personal papers, you can save it by choosing the “Save log” button. Note that it is also possible to copy it directly to your clipboard and to paste it into emails or forum messages if you need to do so.

Decryptor options

The decryptor at this moment performs the following options:

  • Keep encrypted files
    Because the ransomware does not store any data regarding the unencrypted documents, the decryptor does not guarantee that the decrypted file will be identical to the initially encrypted one. Hence, based on the default settings, the decryptor will, for safety reasons, not delete any encrypted documents after they have been decrypted. If you would like the decryptor to delete any ciphered documents once they have been decrypted, it is possible to deactivate this feature. Note that this may be applicable if the space on your hard drive is limited.

Frequently Asked Questions

Why won’t the decryptor run?


The decryptor requires version 4.5.2 or newer of the Microsoft .NET Framework, which could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this) and then trying the decryptor again.

Why is the decryptor stuck on “Starting”?


When you run the decryptor, it looks for encrypted files. Therefore, it will say “Starting” until it can find some. If the decryptor remains stuck on “Starting” for a long time, this means it cannot find any encrypted files.

The decryptor can’t decrypt all of my pictures even though I submitted file pairs for them?


JPEG/JPG images have a format oddity that causes file pairs to be specific to each picture source rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decryptor will only be able to decrypt files from the camera that the file pair came from. Therefore, to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you’ve obtained those pictures from.

What does “Remote name could not be resolved” mean?


It’s an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this:

I have an online key. What can I do?


The STOP Djvu ransomware encrypts only the first 150KB of files. So MP3 files are rather large. Some media players (Winamp, for example) may be able to play the files, but – the first 3-5 seconds (the encrypted portion) will be missing.

You can try to find a copy of an original file that was encrypted:

  • Files you downloaded from the Internet that were encrypted, and you can download again to get the original.
  • Pictures that you shared with family and friends that they can send back to you.
  • Photos that you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc.)
  • Attachments in emails you sent or received and saved.
  • Files on an older computer, flash drive, external drive, camera memory card, or iPhone where you transferred data to the infected computer.

If not, you can try to restore files through the system function – Restore Point.

Also, try removing the ransomware extension on a few BIG files and opening them. The STOP/Djvu ransomware read and did not encrypt the file or bugged and did not add the FileMaker. If your files are huge (2GB+), the latter is most likely.

References

  1. DJVU Decryption Tool:
How to decrypt DJVU Ransomware files?ArticleHow to decrypt DJVU Ransomware files?DescriptionThe newest version DJVU Ransomware (released around the end of August 2019) supported only the Emsisoft Decryptor tool. Files can be properly decrypted if they were encrypted by an offline key.Author Brendan SmithCopyright HowToFix.Guide HowToFix.Guide

Spanish

Related Documentation

How to remove To4s.biz pop-ups? — Fix Guide

How to remove Eninterested.biz pop-ups? — Fix Guide

Midie.77036

Trojan-Ransom.Win32.Locky.aevl