.Derp file extension is used by the latest ransomware, which belongs to the STOP ransomware group. Ransomware is malware created by cybercriminals to encrypt all the contents of a victim’s computer. All encrypted files will remain locked until a ransom is paid. Therefore files with .derp extension are encrypted and these files cannot be used.
Derp is a new version of the STOP ransomware and was recently discovered by researchers. Like previous versions, it distributed using key generators, adware, fake cracked software, and torrents. Upon execution, Derp drops a new folder in the Windows system directory and copies itself there. The ransomware configures the Windows OS in such a way as to start the file encryption process automatically when you turn on or restart the computer. Also, during its initialization, the ransomware tries to contact its “Command and Control” (C&C) server in order to receive additional commands from it and transmit information about the infected computer. If it was possible to contact the C&C, then the ransomware will use so called ‘online key’, if the connection to the C&C has not been established, it uses so called ‘offline key’. After that, the ransomware begins to encrypt files. Everything that is on local, external devices, network drives, and cloud storage will be encrypted. The ransomware skips, that is, does not encrypt files with the name ‘_readme.txt’, as well as with the extension .sys, .bat, .dll, .lnk, .ini. That is, files with any extensions will be encrypted, including those often used as:
.xlsx, .odp, .xyp, .sr2, .asset, .zip, .bc7, .wp, .bc6, .bkf, .jpeg, .dng, .der, .forge, .xll, .wps, .lbf, .xld, .mdbackup, .iwd, .raf, .gdb, .x3f, .cas, .wn, .wmd, .wri, .wsd, .wire, .wmf, .rtf, .zw, .xmind, .dmp, .png, .ztmp, .map, .ff, .erf, .z, .xy3, .yml, .xdl, .t13, .x, .rgss3a, .wp5, .wdp, .x3d, .sum, .xxx, .xlgc, .xpm, .wpg, .accdb, .odb, .ntl, .srw, .hvpl, .epk, .sb, .cfr, .wpd, .esm, .xlsb, .pem, .vfs0, .wotreplay, .mpqge, .wp7, .psk, .hplg, .db0, .pst, .1st, .t12, .sidd, .mp4, .arw, .xls, .xlsm, .xls, .ltx, .pef, .avi, .m2, .odm, .zip, .zif, .cer, .rar, .wgz, .kdc, .pkpass, .ods, .pfx, .wbm, .zabw, .w3x, .wp6, .docx, .das, .pdd, .py, .m3u, .wma, .lvl, .rb, .css, .kdb, .mdb, .wpb, .zi, .ws, .pptx, .dxg, .wot, .wbc, .xlsx, .vdf, .mov, .itm, wallet, .fpk, .raw, .wbd, .bik, .rw2, .doc, .wpe, .3fr, .dwg, .csv, .wpt, .ibank, .d3dbsp, .dba, .psd, .zdc, .p7b, .wbz, .mlx, .pak, .wpw, .wma, .z3d, .mrwref, .xlsm, .wbmp, .mddata, .qic, .sidn, .ncf, .webp, .qdf, .wav, .xar, .indd, .sid, .webdoc, .bkp, .srf, .cr2, .blob, .ybk, .snx, .2bp, .bar, .r3d, .xdb, .hkdb, .rwl, .vpp_pc, .upk, .wmv, .wpa, .wcf, .iwi, .xlk, .xbdoc, .desc, .p7c, .nrw, .slm, .flv, .1, .orf, .wsc, .fos, .odt, .yal, .wdb, .dazip, .0, .vpk, .7z, .tax, .ai, .big, .svg, .sie, .sql, .lrf, .xml, .ppt, .wbk, .re4, .xbplate, .ysp, .jpg, .ptx, .wm
The encryption process is very fast. Derp ransomware encrypts files directory by directory, file by file. When all the files in the directory are encrypted, the ransomware drops a file named ‘_readme.txt’ into this directory and proceeds to the next directory. File ‘_readme.txt’ is a ransom demand message. An example of the contents of this file is presented below.
The ransom note contains a message from Derp authors in which they report that all files were encrypted and the only way to decrypt them is to pay a ransom. Attackers demand a ransom of $490. If the ransom is not paid within 72 hours, then its size increases to $980. In order to verify the possibility of decryption, as well as to get the address where to pay the ransom, cyber criminals left two email addresses. Of course, there is no guarantee that after paying the ransom they will provide the victim with a key and a decryptor, which are necessary for decrypting the files.
|Type||Ransomware, Crypto virus, File locker, Filecoder, Crypto malware|
|Encrypted files extension||.derp|
|Contactfirstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
|Ransom amount||$490,$980 if paid after 72 hours|
|Detection Names||Trojan/RansomWin32.Stop, Ransom.Win32.STOP, Trojan/TR.Crypt, W32Kryptik|
|Symptoms||Files encrypted with .derp extension. Your photos, documents and music fail to open. Files named such as ‘_readme.txt’, or ‘_readme.txt” in every folder with an encrypted file.|
|Distribution ways||Malicious spam , Torrents, Exploit kits, Adware, Social media, Cracks, RDP hacking.|
|Removal||To remove Derp ransomware use the removal guide|
|Decryption||free Derp decryptor|
Unfortunately, the message in file ‘_readme.txt’ that the encrypted files cannot be decrypted is true. In this, cyber criminals do not deceive their victims. Derp ransomware uses a strong encryption algorithm to encrypt files, which blocks the ability to decrypt them without a unique key, which is in the hands of attackers. Despite this, the researchers created a free decryptor that can decrypt files in some cases. The ability to decrypt files has already been confirmed, as it has already helped victims to unlock their data. There are also several other methods that give a small chance to recover data located in encrypted files. Read more about the free decryptor and how to restore encrypted files to their original state in the next part of this article.
- How to remove Derp ransomware virus
- How to decrypt .derp files
- How to restore .derp files
- How to protect your computer from Derp ransomware?
How to remove Derp ransomware virus
You cannot start decryption or recovery of encrypted files without first making sure that the ransomware is completely removed. This is simply dangerous, as it can lead to the fact that the recovered or decrypted files will again become the target of ransomware attack and will be encrypted. Moreover, the contents of any drive connected to the infected computer will also be encrypted. To remove Derp, you need to identify and stop its active process, find and delete all its files and folders. Doing it manually is not always easy for the average user. Therefore, we recommend using malware removal tools. Below we list some of the most popular. You can find more free removal utilities here. Each of which has a fast scanner, can detect and remove various security threats, including ransomware, trojans, worms, adware, browser hijackers and other malware
How to remove Derp with Zemana
Zemana AntiMalware is a program that we recommend using to completely remove Derp from your computer. It can remove not only ransomware, but also other malware, such as spyware, trojans, worms, adware, browser hijackers and so on. The big plus of this program is that it is easy to use for an average user. The program is small in size and can be quickly installed. Immediately after installation, it will automatically update itself and begin a full computer scan. The malware found can be removed for free by clicking one button.
Download Zemana from the following link. Save it on your Windows desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, close all software and windows on your computer. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana Anti-Malware (ZAM) on your machine. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana will automatically start and you can see its main screen as displayed in the figure below.
Now click the “Scan” button to perform a system scan with this tool for Derp ransomware, other malware, worms and trojans. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. While the Zemana Free program is checking, you may see how many objects it has identified as threat.
When Zemana AntiMalware (ZAM) completes the scan, it will show the Scan Results. Make sure to check mark the threats that are unsafe and then press “Next” button. The Zemana Anti Malware (ZAM) will delete Derp related folders,files and registry keys. Once finished, you may be prompted to restart the PC system.
Remove Derp with HitmanPro
HitmanPro is a very popular malware removal tool and certainly one of the best utilites to remove ransomware, adware, spyware, trojans, worms and other security threats. It has a large threat database, which is automatically updated every time the program starts. Hitman Pro does not require installation and therefore can be very useful when you need to remove ransomware quickly.
First, please go to the link below, then click the ‘Download’ button in order to download the latest version of HitmanPro.
Category: Security tools
Update: June 28, 2018
Download and use HitmanPro on your PC system. Once started, click “Next” button for checking your machine for Derp ransomware. This procedure can take some time, so please be patient. During the scan HitmanPro will locate threats exist on your PC.
When the scanning is complete, you can check all threats detected on your computer.
Once you have selected what you wish to remove from your PC click Next button.
It will show a prompt, press the “Activate free license” button to begin the free 30 days trial to remove all malicious software found.
Remove Derp virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is free and easy to use. Although free, KVRT has a very good reputation, as it is based on the core of Kaspersky Anti-Virus. It does not need to be installed and uses minimal system resources while running. Just run and let it do its job.
Download Kaspersky virus removal tool from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for checking your PC system for Derp and other malicious software. While the KVRT program is scanning, you can see how many objects it has identified as threat.
When Kaspersky virus removal tool completes the scan, KVRT will display you the results as shown in the figure below.
When you’re ready, click on Continue to start a cleaning task.
How to decrypt .derp files
As we already reported above, all files that have the extension ‘.derp’ are encrypted, their contents cannot be unlocked simply by deleting the extension or renaming the files. Fortunately, Emsisoft created a free decryptor that aims to decrypt files encrypted with ransomware belonging to STOP DJVU family.
How to decrypt .derp files with free decryptor:
- Open the page STOP Djvu decryptor.
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Unfortunately, this decryptor cannot decrypt files in all cases of ransomware infection. At the moment, you can ony decrypt files that were encrypted with offline key. If the files were encrypted with an online key, then such files cannot be decrypted.
How to determine which key Derp used to encrypt the files. First of all, you can look at the Personal ID that is given in the ‘_readme.txt’ file (ransom note). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Derp ransomware stores the Personal IDs used for encryption.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use the STOP Djvu Ransomware Decryptor linked above. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of the article.
How to restore .derp files
If the free decryptor skips encrypted files, saying that it cannot decrypt the files, then most likely these files are encrypted with an online key or an offline key has not yet been found. In this case, you still have a small chance to recover your files. We recommend that you try using data recovery tools. Be sure to check your computer for malware before trying them. You have to be completely sure that Derp ransomware has been removed.
Recover .derp encrypted files using Shadow Explorer
One of the ways to restore encrypted files to their original state is to restore them from their Shadow copies. Shadow Volume Copies are copies of files that Windows OS automatically saved as part of system protection. This is just a fantastic feature and makes it easy to recover all files. Unfortunately, in most cases, ransomware remove Shadow copies, but in some cases of ransomware infection they remain untouched.
Download Shadow Explorer from the following link. Save it on your Desktop.
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, extract the downloaded file to a folder on your PC. This will create the necessary files as on the image below.
Start the ShadowExplorerPortable application. Now choose the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from as on the image below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and press the Export button as displayed in the following example.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .derp files with PhotoRec
The last option to recover encrypted files is to use data recovery tools. These utilites can be used since the files that were deleted didn’t actually disappear, but simply were marked as ‘deleted’ and hidden from the computer user. Data recovery tools look for such files and restore access to them. Although this method does not guarantee the recovery of all encrypted files, you may be able to recover at least some of them. To find and restore files, we recommend using a program that is called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec by clicking on the following link. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: March 1, 2018
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as on the image below.
Choose a drive to recover as shown below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed on the image below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Derp ransomware?
Most modern antivirus programs already have ransomware protection. But this protection is not always effective enough. As an additional layer of protection, we recommend using HitmanPro.Alert. It is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files.
HitmanPro.Alert can be downloaded from the following link. Save it on your Windows desktop.
Category: Security tools
Update: March 6, 2019
Once the download is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is launched, you’ll be displayed a window where you can choose a level of protection, as shown on the image below.
Now click the Install button to activate the protection.
To sum up
We hope that this instruction helped everyone to find answers to questions: How to remove ransomware, how to restore or decrypt .derp files. If you have questions or need additional help, write to us.