I got ransomeware .cdxx attacked! (STOP Djvu)

Edited by quietman7, 28 February 2024 - 11:54 AM.

Please do not post active links to possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.
 
Samples of any suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal for analysis and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data.
 

Using pirated software, fake/illegal activators for Windows & Office, torrents, keygens and other cracked software is a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections including ransomware resulting in the encryption of all your most valuable data, in many cases beyond recovery as explained here (Post #11).

 
 
You are dealing with a newer variant of STOP (Djvu) Ransomware as explained here by Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions.
 
The .djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt or _readme.txt
 
Please read the first page of the STOP (Djvu) Ransomware Support Topic for a summary of this infection, it's variants, any updates and possible decryption solutions using the Emsisoft STOP Djvu Decryptor. See Post #2 for tools (JpegMedic ARWE, Media_Repair) which can be used to partially repair (not decrypt) JPEG and audio/video files (WAV, MP3, Mp4, M4V, MOV, 3GP) partially encrypted by ransomware.
 
In regards to new variants of STOP (Djvu) Ransomware...decryption of data requires an OFFLINE ID with corresponding private key. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them so the key can be added to their database.
 
If infected with an ONLINE KEY, decryption is impossible without the victim’s specific private key. ONLINE KEYS are unique for each victim and randomly generated in a secure manner with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY. ONLINE ID's for new STOP (Djvu) variants are not supported by the Emsisoft Decryptor.
 
The Emsisoft Decryptor will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
 
If you run the Emsisoft Decryptor for a new variant with an ONLINE ID, the decryptor will indicate there is "no key" under the Results Tab and note it is impossible to decrypt.

Error: No key for New Variant online ID ***************************
Notice: this ID appears to be an online ID. decryption is impossible

That means for now, if your files were encrypted with an ONLINE KEY, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for a possible future solution.
 

** If there is no OFFLINE ID for the variant you are dealing with, we cannot help you unless a private key is retrieved and provided to Emsisoft. Thereafter, any files encrypted by the OFFLINE KEY for that variant can be recovered using the Emsisoft Decryptor. There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft and no announcement by Emsisoft when they are recovered. That means victims should keep reading the support topic for updates or run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft has been able to obtain and add the private key for the specific variant which encrypted your data. 

However, at this point it appears Emsisoft has discontinued development and stopped all support of the decryptor.

  
** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an ONLINE KEY and those files are not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. 
 
You need to post any questions in the above support topic. If you have followed those instruction and need further assistance, then you still need to ask for help in that support topic.
 
Rather than have everyone with individual topics and to avoid unnecessary confusion, this topic is closed.
 
Thanks
The BC Staff