Read time 7 minutes

Summary: Learn about STOP/DJVU ransomware and how to recover files without paying the ransom. Understand the ransomware’s encryption process, targeted files, and decryption methods. Follow steps, including scanning with anti-malware, identifying encryption type, and using tools like Emsisoft STOP Djvu decryptor or Kernel Photo Repair for recovery.

Have you fallen prey to the STOP/DJVU ransomware, finding yourself unable to reach your files? Feeling uncertain about your next move? The initial and crucial advice is to refrain from paying the attacker. Wondering what comes after that? Allow us to guide you through the process. Dealing with this type of issue requires a more comprehensive understanding, as there’s no quick fix. Additionally, it’s essential to enhance your preparedness to prevent future attacks.


Ransomware, a form of malicious software, restricts a user’s access to their data and demands payment of a ransom to either regain access or prevent the exposure of the data. This type of malware relies on cryptographic techniques to craft its harmful software. Typically, attackers deploy a trojan disguised as a seemingly legitimate file, swiftly infiltrating the system and encrypting files. The encrypted files become inaccessible until decrypted with a specific cryptographic key. The malware commonly generates a message file within the system, detailing the nature of the attack and providing instructions for the victim on how to make the ransom payment in exchange for a decryption key.

What is STOP/DJVU Ransomware?

DJVU ransomware, a member of the STOP ransomware family, surfaced in December 2018 and has since been actively assaulting users worldwide. Typically concealed within software crack packages, keygens, or adware bundles found on torrent sites and various platforms, this malware swiftly infiltrates systems upon the execution of an infected file. Operating discreetly in the background, the trojan rapidly propagates encryption malware, targeting a variety of popular file formats such as .doc, .pdf, .jpg, .jpeg, .mp4, and others. Notably, the ransomware doesn’t fully encrypt the files; instead, it selectively encrypts approximately 5 MB of each file. Subsequently, the compromised files adopt the .djvu extension or similar extensions. Further, _openme.txt or _readme.txt files appear on the desktop. These files are basically ransom notes and contain details about the mode of payment and other such details.

Example of Ransom Note:

DJVU Ransomware

The virus also deletes disk backups, updates Windows registry entries, and updates various other system files, which makes it almost impossible to restore or recover the impacted data and files.

How to decrypt JPEG files affected by DJVU?

Before we delve deeper, let’s shed some light on the ransomware. DJVU cryptoware employs a solitary key to encrypt your files. When your PC is online, it utilizes the key through internet connection. Yet, if, for any reason, the system fails to establish a connection with their server, it resorts to an encryption key embedded in the malware code. In such instances, it becomes feasible to decrypt the files without succumbing to ransom demands.

We’ve covered everything necessary for you to move forward. You’re now familiar with the workings of the attack thus far, making it straightforward to grasp each of the subsequent steps we propose.

  • STEP 1 – Scan and fix system using anti-virus and anti-malware software
    You’ve probably caught on that the software in your system played a role in the current situation. Start by eliminating the troublesome file. Skipping this crucial step might throw you back into the same problem, as that pesky file would still linger in your system.
    Sure thing! Give your computer a thorough check-up by running a comprehensive scan with reputable anti-virus and anti-malware tools like Avast or McAfee. Despite potential slowdowns, ensure the scan covers your entire system, eliminating any malicious files and processes.
  • STEP 2 – Identify if encryption was done using offline or online Key
    Take a peek in your system for files named SystemID.txt and PersonalID.txt, crafted by DJVU software and holding the encryption IDs in play. Check out the _readme.txt file for a pointer to your personal ID. Just a heads-up, all the offline keys wrap up with a “t1.” Spotting these key files will smoothen the path to reclaiming your data and regaining access to your .jpeg and other files that caught the bug.
  • STEP 3 – Use decryptor software to fix offline key encryption
    After obtaining the offline key and Personal ID, you can employ various free decryption tools on the internet, like the Emsisoft STOP Djvu decryptor, to decrypt your JPEG files.
  • STEP 4 – Use a Professional Image Repair tool
    Should you be unable to locate any personal ID or encryption keys as outlined in step 2, it’s likely that your system has been encrypted using online key or keys. Even with the assistance of expert decryption tools, decrypting your files may prove challenging. But, you can use the Kernel Photo Repair tool to get back your inaccessible and impacted JPEG files. It has the extraordinary capability to fix any kind of error occurring in the photos including an unknown or invalid JPEG marker type is found, and major corruption issues as well.

    Below is the step-by-step manual on how to use this tool:

    1. Download the software from the official website and install it.
    2. Once the software is installed, run it in your system.
    3. Once the tool opens, click on the Add icon available on the home screen of the application.
      Photo Repair
    4. Next, choose all the impacted photos that need to be repaired, and click on the Open button once selected.
       choose all the impacted photos
    5. Now, click on the ‘Repair Files’ button.
      click on the Repair Files button

      Note: You can click on the (+) sign on the top right to add more files or (-) sign to remove unwanted files.

    6. Select the output path as per desire and click OK.
      Select the output path
    7. At this point, the tool starts to repair the files one by one. You can see the progress and updates under Status column.
      tool starts to repair the files one by one
    8. Lastly, click on the ‘Close’ button to finish.
      click on the Close button

      Note: You can choose to save the report by clicking on the ‘Save report to CSV’ button.

      Now, your photos should be repaired. You can now access them in the output folder path provided during the steps mentioned above.


In this blog post, we delved into the world of ransomware, exploring its nature and the mechanisms through which it infiltrates victim systems. Specifically, we dissected the workings of the DJVU ransomware, shedding light on its ransom notes, targeted file types, and the intricacies of file encryption. Our discussion touched upon the utilization of trojans and partial file encryption to efficiently target a large number of files in a short span. Both offline and online encryption methods were examined, accompanied by detailed explanations of potential solutions for each method. To wrap things up, we provided insights into leveraging software to restore encrypted JPEG files. This tool can repair inaccessible JPEG files in no time and can be used to fix multiple files in one go. We hope this blog helped you.

Kernel Photo Repair