![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You are dealing with a newer variant of STOP (Djvu) Ransomware as explained here by Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions.
The .djvu* and newer variants will leave ransom notes named _openme.txt, open.txt or _readme.txt
Please read the first page (Post #1) of the STOP (Djvu) Ransomware Help & Support Topic AND these FAQs for a summary of this infection, it's variants, any updates and possible decryption solutionsusing the Emsisoft Decryptor.
In regards to new variants of STOP (Djvu) Ransomware...decryption of data requires an OFFLINE ID with corresponding private key. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them.
If infected with an ONLINE KEY, decryption is impossible without the victim’s specific private key. ONLINE KEYS are unique for each victim and randomly generated in a secure manner with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY. ONLINE ID's for new STOP (Djvu) variants are not supported by the Emsisoft Decryptor
.
The Emsisoft Decryptor will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
Emsisoft has obtained and uploaded to their server OFFLINE IDs for many (but not all) of the new STOP (Djvu) variantsas noted in Post #9297 and elsewhere in the support topic.
** If there is no OFFLINE ID for the variant you are dealing with, we cannot help you unless a private key is retrieved and provided toEmsisoft. When and if the private key for any new variant is obtained it will be pushed to the Emsisoft server and automatically added to the decryptor. Thereafter, any files encrypted by the OFFLINE KEY for that variant can be recovered using the Emsisoft Decryptor. For now, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE ID.
There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft and no announcement by Emsisoft when they are recovered due to victim confidentiality. That means victims should keep reading the support topic for updates or run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft has been able to obtain and add the private key for the specific variant which encrypted your data.
** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an ONLINE KEY and those files are not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. If infected with an ONLINE ID, the Emsisoft Decryptor will indicate this fact under the Results Tab and note the variant is impossible to decrypt.
.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
