Topi file extension
.Topi file extension is an extension that uses the newest variant of STOP (djvu) ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .topi extension become useless, their contents cannot be read without the key that the criminals have. Fortunately, there is a free decryptor, which in some cases can decrypt .topi files. It will be described in detail in this article.
Screenshot of files encrypted by Topi virus (‘.topi’ file extension)
Topi virus
Topi virus is the latest version of STOP ransomware, which was discovered by security researchers some days ago. This is already the 200th variant (v0200) of STOP ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, Topi uses a unique key with a small exception. If the virus cannot establish a connection with its command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Topi has the ability to encrypt files of any type, regardless of what is in them. But it skips files with the extension: .ini, .dll, .lnk, .bat, .sys and files named ‘_readme.txt’. Thus, the following common file types can be easily encrypted:
.wma, .wpd, .xls, .kf, .docm, .rgss3a, .xlgc, .mdf, .sum, .blob, .odb, .wot, .lrf, .bkp, .forge, .bkf, .pdd, .lvl, .xll, .dazip, .py, .rwl, .wpt, .wp4, .iwi, .sidd, .wn, .sid, .ws, .wpe, .xdb, .xlsm, .der, .xx, .x3d, .xf, .cdr, .qic, .pem, .pdf, .tor, .3dm, .webp, .arw, .wmo, .csv, .jpg, .hplg, .xlk, .psd, .wbmp, .7z, .xxx, .d3dbsp, .xls, .tax, .slm, .lbf, .zabw, .accdb, .wgz, .wsc, .odc, .wcf, .zdc, wallet, .ppt, .xwp, .wdb, .srw, .rb, .gdb, .doc, .wp6, .kdc, .yal, .vdf, .das, .x3f, .wm, .pfx, .wire, .wbm, .pak, .mov, .r3d, .fos, .xpm, .epk, .mpqge, .map, .xlsm, .xdl, .dxg, .wmv, .bsa, .p7b, .ncf, .pkpass, .m4a, .dng, .bc6, .wpb, .3fr, .0, .sr2, .webdoc, .ybk, .vpk, .xml, .icxs, .mlx, .mrwref, .xbplate, .qdf, .css, .asset, .wmd, .big, .fpk, .psk, .wri, .dwg, .wpa, .wpd, .hkx, .wbd, .raf, .xyw, .mddata, .z, .jpeg, .ff, .vfs0, .txt, .m2, .ai, .pptm, .raw, .wp, .mp4, .orf, .xld, .odm, .itdb, .t12, .bik, .upk, .w3x, .avi, .layout, .re4, .wp5, .1, .png, .kdb, .ods, .wmv, .p12, .apk, .mef, .m3u, .sql, .cr2, .cfr, .dmp, .srf, .p7c, .1st, .xar, .sis, .ysp, .wpw, .pef, .rw2, .zi, .xbdoc, .hvpl, .odp, .rtf, .ztmp, .wp7, .wbc, .nrw, .rim, .zip, .bay, .bc7, .xy3
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.topi’. Topi virus can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops a new file in the directory, which is called ‘_readme.txt’. Below is the contents of this file.
All directories with encrypted files have this file. But the contents of this file are the same everywhere. This file contains a message from Topi creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double to $980. Topi authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one file that does not contain important information for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
Threat Summary
| Name | Topi |
| Type | Filecoder, Crypto malware, Ransomware, Crypto virus, File locker |
| Encrypted files extension | .topi |
| Ransom note | _readme.txt |
| Contact | helpmanager@firemail.cc, helpmanager@iran.ir |
| Ransom amount | $980,$490 in Bitcoins |
| Detection Names | Trojan/Win32.MalPe, Ransom:Win32/Kryptik, Win32:TrojanX-gen [Trj], Trojan.GenericKD.42261545, Trojanransom.Stop, Win.Packed.Glupteba-7548218-1, W32/Trojan.BGUJ-7139, Trojan.Siggen9.4539, Win32/Kryptik.HAIP, Trojan.Win32.Crypt, Trojan.Stop.cg, Trojan-Ransom.Win32.Stop.ie, Win32/Trojan.Ransom.fcb, Ransom_Stop.R023C0WAJ20 |
| Symptoms | Your documents, photos and music have new extension appended at the end of the file name. Files named like ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. You have received instructions for paying the ransom. |
| Distribution methods | Torrents web-sited. Email attachments. Exploit kits (cybercriminals use crypto virus packaged in an ‘exploit kit’ that can find a vulnerability in Web browser, Microsoft Windows operating system, PDF reader, Adobe Flash Player). Cracked games. Social media posts (they can be used to trick users to download malware with a built-in ransomware downloader or click a malicious link). Misleading web pages. |
| Removal | Topi virus removal guide |
| Decryption | Free Topi Decryptor |
Topi authors claim that it is impossible to decrypt files that have been encrypted. Until recently, this was so. At the moment, with the advent of STOP (Topi) decryptor, in some cases you can decrypt files. This means that files can be decrypted if they are encrypted with the offline key that we talked about earlier. In all remaining cases, decryption is not yet possible. But there are several alternative ways that can allow everyone to recover the contents of encrypted files.
How to remove Topi ransomware virus & Decrypt .topi files
If your files were encrypted with Topi virus, we recommend using the following steps, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then open it on your smartphone or print it. So it will be more convenient for you to carry out all the necessary actions.
How to remove Topi virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The best way is to go step by step: scan your computer for ransomware, detect and remove Topi virus, decrypt (recover) the encrypted files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Topi. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
Remove Topi virus with Zemana Anti Malware
Zemana is one of the best in its class, it can find and remove lots of of various security threats, including ransomware, spyware, trojans, adware, worms and malicious software that masqueraded as legitimate computer programs. Also Zemana includes another tool called FRST – is a helpful program for manual removal of files and parts of the Windows registry created by ransomware.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of Zemana.
164978 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, close all software and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as shown in the following example.
When the install begins, you will see the “Setup wizard” which will help you install Zemana Anti-Malware (ZAM) on your machine.
Once installation is done, you will see window as shown below.
Now press the “Scan” button to begin checking your personal computer for the Topi crypto virus, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your PC.
As the scanning ends, you may check all items detected on your PC. Review the scan results and then click “Next” button.
The Zemana AntiMalware (ZAM) will begin to remove Topi ransomware, other malicious software, worms and trojans.
Remove Topi with MalwareBytes AntiMalware (MBAM)
You can remove Topi automatically through the use of MalwareBytes Free. We recommend this malicious software removal utility because it can easily remove ransomware viruses, adware, spyware, trojans and other malware with all their components such as files, folders and registry entries.
MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.
327221 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is finished, close all apps and windows on your computer. Double-click the set up file called mb3-setup. If the “User Account Control” dialog box pops up as shown below, click the “Yes” button.
It will open the “Setup wizard” that will help you set up MalwareBytes Free on your personal computer. Follow the prompts and don’t make any changes to default settings.
Once install is complete successfully, click Finish button. MalwareBytes Anti Malware will automatically start and you can see its main screen as on the image below.
Now click the “Scan Now” button to detect Topi ransomware virus, other malware, worms and trojans. When a malicious software, adware or potentially unwanted applications are found, the number of the security threats will change accordingly. Wait until the the checking is finished.
As the scanning ends, MalwareBytes Free will show a scan report. You may delete items (move to Quarantine) by simply press “Quarantine Selected” button. The MalwareBytes will remove Topi crypto malware, other malicious software, worms and trojans. When the task is done, you may be prompted to reboot the machine.
We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes to remove adware software, hijacker and other malicious software.
Remove Topi ransomware virus from machine with Kaspersky virus removal tool
If MalwareBytes anti-malware or Zemana anti malware cannot remove this crypto malware, then we recommends to run Kaspersky virus removal tool (KVRT). KVRT is a free removal utility for crypto viruses, adware, spyware, trojans, worms and other malware.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
129278 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is complete, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for scanning your personal computer for the Topi crypto virus and other malicious software. This task can take some time, so please be patient. While the KVRT utility is scanning, you can see how many objects it has identified as being affected by malicious software.
After the scan is finished, KVRT will show a scan report like below.
Once you’ve selected what you want to delete from your computer press on Continue to begin a cleaning process.
How to decrypt .topi files
All files with the ‘.topi’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .topi files, you need a decryptor. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
STOP Djvu decryptor
To decrypt .topi files, use free STOP (Topi) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Topi) decryptor is a free tool that allows everyone to decrypt .topi files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless.
How to find out which key was used to encrypt files
Since STOP (Topi) decryptor only decrypts files encrypted with the offline key, each Topi’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0195’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Topi virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Topi) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .topi files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .topi files
As we already said, STOP (Topi) decryptor can only decrypt files encrypted using the so called ‘offline key’. What to do when files were encrypted with an online key? Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Topi virus has been removed. To find and remove ransomware, use the free malware removal tools.
Use shadow copies to recover .topi files
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
Click the link below to download ShadowExplorer. Save it on your MS Windows desktop.
439619 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is finished, extract the saved file to a folder on your computer. This will create the necessary files like the one below.
Start the ShadowExplorerPortable application. Now choose the date (2) that you want to recover from and the drive (1) you want to recover files (folders) from as shown on the screen below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as shown in the following example.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Run PhotoRec to restore .topi files
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec from the link below.
After the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as shown in the following example.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed below.
Press File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Topi crypto virus?
Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, click the following link, then press the ‘Download’ button in order to download the latest version of HitmanPro Alert.
After the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be displayed a window where you can select a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Topi ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .topi files; how to recover files, if STOP (Topi) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Topi related issues, go to here.
Your personal ID:
0200a7d6a8sdaw7QKfL7ftJkP6hRlscRlhoF88L7LAPDxbPO5ZJP7
this is my ID and its online key how i can recover the file
The “0200a7d6a8sdaw7QKfL7ftJkP6hRlscRlhoF88L7LAPDxbPO5ZJP7” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.
Your personal ID:
0200a7d6a8sdadIuHO73VOJjLNa89OK8DbASuocu8kisW5V5LjZxa
I need solution for decrypt topi file online key version
because I can’t decrypt the file with another tools and emisoft
if i’m installing new windows and format all file, can that works?
my pc and external drive was infected with randsomeware .topi online encryption
help me decrypt my files pls
id on drive: 0200a7d6a8sdafXCYuWvIDxsp9K5Rbu00qUglKrrdXtDMphkSjOtr
personal id on pc: fXCYuWvIDxsp9K5Rbu00qUglKrrdXtDMphkSjOtr
Gracias por la ayuda!!!
0200a7d6a8sdadIuHO73VOJjLNa89OK8DbASuocu8kisW5V5LjZxa0200a7d6a8sdafXCYuWvIDxsp9K5Rbu00qUglKrrdXtDMphkSjOtr
These IDs are related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.
My ID : 0200a7d6a8sdaraicsJTWJ0meR9WNDJuGREMk9N3arQVRie5fJMZb, Help me please
The “0200a7d6a8sdaraicsJTWJ0meR9WNDJuGREMk9N3arQVRie5fJMZb” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.