• facebook
  • twitter
  • linkedin

Read time 7 minutes

Are you a victim of STOP/DJVU ransomware, and have been not able to access files on your machine? Are you indecisive about what to do next? Well, the first step would be not to pay the attacker. What next? Let us take you through it. You will need a little in-depth understanding as there is no simple solution to this kind of problem. Further, you need to be better prepared to avoid such attacks in the future.


Ransomware is a type of malware that blocks a user’s access to the data or threatens to make it public unless the user/victim agrees to pay a ransom. Ransomware is based on using cryptography to develop malicious software. Often, attackers use a trojan disguised as a legitimate file that spreads quickly into the system and encrypts the files. These files are locked by the malware and can only be accessed by decryption using the cryptographic key. Usually, the malware creates a message file on the system, informing the victim of the attack and how to pay the ransom in exchange for a decryption key.

What is STOP/DJVU Ransomware?

DJVU ransomware belongs to the STOP family of ransomware. It was first observed around December 2018 and has been very actively attacking users all around the world. It is mostly packaged in software crack packages, keygens, or adware bundles available on torrent sites or other platforms. Once the infected file is run, the trojan quickly spreads encryption malware in the background infecting the system at a very fast pace. Main file types targeted are .doc, .pdf, .jpg, .jpeg, .mp4 and other popular file/application formats. The ransomware doesn’t encrypt the file completely, but only around 5 MB of it. Once the malware encrypts the files, files are updated with .djvu extension or other similar extensions. Further, _openme.txt or _readme.txt files appear on the desktop. These files are basically ransom notes and contain details about the mode of payment and other such details.

Example of Ransom note:

DJVU Ransomware

The virus also deletes disk backups, updates Windows registry entries, and updates various other system files, which makes it almost impossible to restore or recover the impacted data and files.

How to decrypt JPEG files affected by DJVU?

Let us just explain a little about the ransomware before we move further. DJVU cryptoware encrypts your files using a single key. If your PC is connected to the Internet, it may use the key online. However, if, for some reason, the system is not able to connect to their server, it uses an encryption key bundled in malware code. If this is the case, the decryption of files is possible without paying a ransom.

Now, we have explained all that you need to know to proceed further. You are aware of how the attack has worked so far. It will be easy to understand each of the steps we suggest from here on.

  • STEP 1 – Scan and fix system using anti-virus and anti-malware software
    By now, you are aware that your system contains software that led to the current situation. First ensure that you get rid of the culprit file. If you skip this step, you may land into the same problem again, as the culprit file would still be residing on your system.
    So, scan your computer using a well-known anti-virus and anti-malware software such as Avast or McAfee. It may be slow, but make sure a full scan of your system is complete, and the malicious files and processes have been removed.
  • STEP 2 – Identify if encryption was done using offline or online Key
    You need to search your system for SystemID.txt and PersonalID.txt files. These files are created by DJVU software and contain the encryption IDs used. You can find a reference to the personal ID in the _readme.txt file. All the offline keys end with a “t1”. If you are able to find these key files, it will be easier for you to recover your data and access your .jpeg and other infected files one again.
  • STEP 3 – Use decryptor software to fix offline key encryption
    Once you have discovered the offline key and Personal ID, you can use any of the free decryptor software available online to decrypt your jpeg files such as Emsisoft STOP Djvu decryptor.
  • STEP 4 – Use a professional image repair tool
    If you are not able to find any personal ID or encryption keys mentioned in step 2, your system has probably been encrypted using online key/keys. You may not be able to decrypt your files even with the help of expert decryption tools. But, you can use the Kernel Photo Repair tool to get back your inaccessible and impacted JPEG files. It has the extraordinary capability to fix any kind of error occurring in the photos including an unknown or invalid JPEG marker type is found, and major corruption issues as well.

    Below is the step-by-step manual on how to use this tool:

    1. Download the software from the official website and install it.
    2. Once the software is installed, run it in your system.
    3. Once the tool opens, click on the Add icon available on the home screen of the application.
      Photo Repair
    4. Next, choose all the impacted photos that need to be repaired, and click on the Open button once selected.
       choose all the impacted photos
    5. Now, click on the ‘Repair Files’ button.
      click on the Repair Files button

      Note: You can click on the (+) sign on the top right to add more files or (-) sign to remove unwanted files.

    6. Select the output path as per desire and click OK.
      Select the output path
    7. At this point, the tool starts to repair the files one by one. You can see the progress and updates under Status column.
      tool starts to repair the files one by one
    8. Lastly, click on the ‘Close’ button to finish.
      click on the Close button

      Note: You can choose to save the report by clicking on the ‘Save report to CSV’ button.

      Now, your photos should be repaired. You can now access them in the output folder path provided during the steps mentioned above.


In this blog, we discussed what is ransomware and how these attack on victim systems. Then, we explained the DJVU ransomware and how it works. We explained the ransom notes, what kind of files are targeted by the ransomware and how the encryption of your files is done. We briefly covered the use of trojan and partial encryption of files to attack more and more files in very less time. Offline and online encryption methods were covered, and the solutions for each of the methods were explained. Lastly, we covered how to utilize this software to repair encrypted JPEG files. This tool can repair inaccessible JPEG files in no time and can be used to fix multiple files in one go. We hope this blog helped you.

Related Posts