This week, cyber security specialists has received reports of yet another ransomware named .djvu ransomware. This ransomware virus spreads via spam emails and malware files and appends the .djvu extension to encrypted files.
The .djvu ransomware is a ransomware virus, which developed to encrypt the personal files found on infected personal computer using a hybrid AES + RSA encryption mode, adding the .djvu extension to all encrypted personal files. It can encrypt almost types of files, including the following:
.wmv, .sis, .das, .itm, .dxg, .x3f, .wpa, .2bp, .p12, .mov, .lvl, .mlx, .rwl, .vcf, .ysp, .bkf, .ncf, .mef, .wpt, .sie, .wpd, .dwg, .wgz, .fpk, .hplg, .asset, .jpeg, .0, wallet, .wmv, .xlk, .xdl, .bc6, .yal, .odb, .wn, .r3d, .xml, .7z, .crt, .zip, .indd, .d3dbsp, .xll, .rofl, .wav, .vdf, .zdc, .wmf, .csv, .webdoc, .syncdb, .cdr, .xls, .pst, .ltx, .slm, .sb, .pkpass, .rgss3a, .srf, .hkdb, .tax, .arch00, .vpk, .xlsb, .map, .iwd, .wpw, .raf, .zi, .ptx, .itl, .wb2, .1st, .zip, .wp4, .pdd, .fos, .vfs0, .der, .txt, .lbf, .xxx, .wbk, .x3d, .kdb, .xls, .dazip, .db0, .xar, .sql, .epk, .cr2, .accdb, .docm, .mddata, .xlsx, .crw, .wpl, .mdb, .xld, .pak, .docx, .yml, .xwp, .eps, .ff, .mrwref, .wpg, .wm, .odp, .wbd, .pfx, .xx, .m2, .js, .lrf, .itdb, .rtf, .wsc, .x, .dmp, .dcr, .dng, .xy3, .wp, .mcmeta, .wsd, .tor, .wbmp, .m3u, .pem, .ods, .vpp_pc, .rar, .sum, .sidd, .jpe, .srw, .wps, .3ds, .pdf, .odt, .xpm, .dbf, .xlsx, .bkp, .snx, .t12, .x3f, .ntl, .wsh, .mdf, .gdb, .xlsm, .erf, .3fr, .xlsm, .xyw, .big, .wp5, .nrw, .sr2, .rim, .wmo, .png, .wbz, .apk, .pptm, .bc7, .layout, .flv, .iwi, .rw2, .dba, .hvpl, .psd, .3dm, .rb, .odm, .wotreplay, .w3x, .bsa, .arw, .m4a, .sid, .bay, .zdb, .py, .wbm, .p7c, .xyp, .pef, .cfr, .svg, .ppt, .z, .p7b, .doc, .wire, .fsh, .ws, .hkx, .upk, .mp4, .bar, .wdp, .1, .desc, .xdb, .ybk, .zif, .wbc, .wpb, .ibank, .icxs, .raw, .wcf, .wp7, .forge, .wma
Once the encryption procedure is done, it will create a ransom demanding message named “_openme.txt” offering decrypt all users personal files if a payment is made. You can see an one of the variants of the ransom note below:
ALL YOUR FILES ARE ENCRYPTED Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 72 hours. To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID:
The ransom demanding message encourages victim to contact .djvu ransomware’s makers (firstname.lastname@example.org, email@example.com) in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to restore your files for free using free tools like ShadowExplorer and PhotoRec.
Unfortunately, at this time, victims of the .djvu ransomware virus cannot decrypt encrypted files without the actual encryption key. But you can follow our steps below to find and get rid of .djvu ransomware virus from your PC system as well as restore encrypted photos, documents and music for free.
Table of contents
- How to decrypt .djvu files
- How to remove .djvu ransomware virus
- How to restore .djvu files
- How to protect computer from .djvu ransomware
How to decrypt .djvu files
The encryption method is so strong that it’s practically impossible to decrypt .djvu files without the actual encryption key. The bad news is that the only way to get your files back is to pay a ransom to the ransomware creators for a copy of the private (encryption) key. There is absolutely no guarantee that after pay a ransom to the makers of the .djvu ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
With some variants of this ransomware virus, it’s possible to use Windows Shadow Copies or file restore utilities to recover personal files that have been encrypted by .djvu ransomware virus. You can use the free tools listed below in the blog post.
How to remove .djvu ransomware virus
The following instructions will allow you to delete .djvu ransomware virus and other malicious software. Before doing it, you need to know that starting to remove the ransomware, you may block the ability to decrypt photos, documents and music by paying authors of the ransomware virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your computer, but they can not restore encrypted personal files.
Remove .djvu ransomware with Zemana Anti-malware
We suggest you to run the Zemana Anti-malware which are completely clean your computer of this virus. Moreover, the tool will help you to remove potentially unwanted apps, malware, toolbars and adware that your computer may be infected too.
Now you can install and use Zemana Anti Malware (ZAM) to remove .djvu ransomware virus from your web browser by following the steps below:
Visit the following page to download Zemana Anti-Malware installer called Zemana.AntiMalware.Setup on your PC. Save it on your Microsoft Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
Launch the setup file after it has been downloaded successfully and then follow the prompts to install this utility on your system.
During setup you can change certain settings, but we suggest you don’t make any changes to default settings.
When setup is finished, this malicious software removal tool will automatically start and update itself. You will see its main window as displayed below.
Now click the “Scan” button . Zemana Free tool will start scanning the whole PC system to find out the .djvu ransomware virus and other security threats. This procedure can take some time, so please be patient.
After Zemana has completed scanning your system, a list of all items detected is produced. Make sure all threats have ‘checkmark’ and click “Next” button.
The Zemana AntiMalware (ZAM) will remove the .djvu ransomware related files, folders and registry keys and move items to the program’s quarantine. After the clean up is done, you can be prompted to restart your personal computer to make the change take effect.
Automatically remove .djvu ransomware with MalwareBytes Anti Malware (MBAM)
Remove .djvu ransomware manually is difficult and often the ransomware is not fully removed. Therefore, we recommend you to use the MalwareBytes Anti-Malware that are completely clean your computer. Moreover, this free program will help you to remove malicious software, potentially unwanted software, toolbars and adware that your PC can be infected too.
- MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it to your Desktop.
Category: Security tools
Update: February 5, 2019
- Once the download is finished, close all software and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once setup is finished, press the “Scan Now” button for scanning your PC system for the .djvu ransomware virus and other security threats. This procedure may take quite a while, so please be patient.
- Once MalwareBytes has finished scanning your PC system, MalwareBytes Anti-Malware will open you the results. All found items will be marked. You can remove them all by simply click “Quarantine Selected”. When that process is finished, you may be prompted to restart your personal computer.
The following video offers a tutorial on how to remove browser hijacker infections, ad supported software and other malware with MalwareBytes AntiMalware.
Remove .djvu ransomware virus with KVRT
The KVRT tool is free and easy to use. It may scan and remove ransomware viruses such as the .djvu ransomware. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the PC.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .djvu ransomware . A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your machine. While the KVRT tool is checking, you can see number of objects it has identified as being affected by malware.
Once the scan is finished, KVRT will display a list of detected threats as shown in the figure below.
Review the report and then click on Continue to start a cleaning task.
How to restore .djvu files
In some cases, you can recover files encrypted by .djvu ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Restore .djvu files with ShadowExplorer
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by the .djvu ransomware from Shadow Copies for free.
Download ShadowExplorer by clicking on the following link. Save it on your Desktop.
Category: Security tools
Update: February 27, 2018
Once downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the .djvu ransomware virus as shown in the following example.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button like below.
Recover .djvu files with PhotoRec
Before a file is encrypted, the .djvu ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec on your machine by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as displayed on the screen below.
Select a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect computer from .djvu ransomware
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your PC from .djvu ransomware virus
Download CryptoPrevent from the following link. Save it on your Microsoft Windows desktop or in any other place.
Run it and follow the setup wizard. Once the installation is finished, you’ll be displayed a window where you can choose a level of protection, as shown in the figure below.
Now press the Apply button to activate the protection.
Now your computer should be clean of the .djvu ransomware virus. Delete Kaspersky virus removal tool and MalwareBytes Anti-Malware. We recommend that you keep Zemana Anti Malware (ZAM) (to periodically scan your personal computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .djvu ransomware virus from your system, then ask for help here.