What is Jope file extension
.Jope file extension is a filename extension that is appended to the name of files affected by the latest version of STOP (djvu) ransomware. Ransomware is a malware that encrypts victims’ files and thus locks up the information contained in them. Ransomware developers demand a ransom in exchange for a decryptor and a key, which are necessary for decrypting the files. Fortunately there is a free decryptor. Jope File Decrypt Tool is a program that in some cases can help decrypt encrypted files. In addition to this program, there are several other ways to restore the contents of encrypted files.
Screenshot of files encrypted by Jope virus (‘.jope’ file extension)
What is Jope ransomware
Jope ransomware is new malware that is the 218th variant of STOP (DJVU) ransomware. Like other versions of this ransomware, it is distributed through key generators, cracked software, adware and torrents web-sites. Upon execution, Jope creates a folder in the Windows system directory and copies itself there. Then the virus changes some Windows OS settings so that it starts automatically every time the PC is turned on or restarted.
Jope ransomware collects information about the victim’s computer, after which it tries to establish a connection with its command-and-control server (C&C). If the connection has been established, the virus receives a key (so called ‘online key’) from the command server that will be used to encrypt files. In addition, Jope virus may receive additional commands and files that will be executed on the victim’s computer. If Jope ransomware could not connect to the command server, then it uses a fixed key, which the security researchers called ‘offline key’.
There is a significant difference between ‘online key’ and ‘offline key’. The online key is unique for each victim, that is, the key from one victim will not help decrypt the files of the other victim. The offline key is the same for all victims. Thus, it can be used to decrypt files regardless of where they were encrypted.
Having a key to encrypt files, Jope virus proceeds directly to the process of encrypting files. It encrypts file-by-file, so that all files of the victim will be encrypted. It doesn’t matter where the files are located, on the internal drive, flash drive, external media, cloud storage, all of them can be encrypted. There is a small exception, the virus does not encrypt files located in the Windows system directories, files with the extension from the list ‘.lnk, .bat, ini, .sys, .dll’ and files with the name ‘_readme.txt’. Thus, almost all of the victim’s data will be encrypted, including documents, pictures, databases, archives and other types of files, such as:
.fos, .dwg, .xll, .xls, .mcmeta, .wn, .ws, .epk, .z, .d3dbsp, .ptx, .vcf, .x3d, .dba, .sid, .sidd, .xlsm, .slm, .js, .wri, .vdf, .1st, .wpb, .x3f, .wpl, .wpe, .accdb, .p12, .bay, .wmo, .sum, .qic, .jpeg, .wpd, .rw2, .bkf, .vpp_pc, .mpqge, .tax, .hvpl, .mddata, .bik, .lrf, .dmp, .xdb, .wgz, .xld, .vpk, .menu, .dazip, .ppt, .ai, .litemod, .p7b, .sr2, .odt, .wdb, .wp7, .zabw, .xmind, .fsh, .zdc, .wpd, .m4a, .wpg, .wma, .dxg, .bc7, .xdl, .pem, .sis, .jpg, .xxx, .crw, .wb2, .wdp, .css, .esm, .bar, .cdr, .zw, .m2, .xyw, .zdb, .svg, .mrwref, .arw, .wmd, .nrw, .xpm, .ztmp, .big, .mlx, .7z, .xbplate, .zip, .wmf, .mov, .raf, .iwd, .sie, .bkp, .mp4, .0, .docx, .ltx, .syncdb, .psd, .vfs0, .xls, .wot, .x3f, .forge, .rwl, .ysp, .pst, wallet, .doc, .wps, .py, .vtf, .wbmp, .itdb, .mef, .x, .xyp, .ibank, .sidn, .xf, .3dm, .y, .pak, .wbz, .wsc, .xy3, .wpw, .pptx, .tor, .yal, .txt, .asset, .indd, .xlsx, .t12, .ntl, .kdc, .w3x, .bsa, .xml, .icxs, .pdd, .xlk, .xlsb, .m3u, .wotreplay, .odb, .ybk, .db0, .sav, .rofl, .xx, .png, .blob, .wmv, .orf, .pef, .wps, .kdb, .ff, .wmv, .sql, .wp4, .wma, .xlsx, .dcr, .odm, .rar, .ncf, .wav, .xmmap, .apk, .layout, .psk, .crt, .hkx, .srf, .arch00, .erf, .p7c, .mdbackup, .wp6, .gho, .wbd, .sb, .wire, .z3d
Each file that has been encrypted by Jope virus will be renamed. It will append the extension ‘.jope’ at the end of the name of the affected file. Thus, a file named ‘image.jpg’, after it is encrypted, will receive the name ‘image.jpg.jope’. To encrypt as many files as possible in the minimum time, the virus does not encrypt the entire file, but only its initial part in the amount of 154 kb. Jope virus encrypts files sequentially, when all files in the directory are encrypted, it places a new file in it. This file is called ‘_readme.txt’ and its contents are shown below.
Screenshot of the contents of ‘_readme.txt’ file (Jope ransom note)
This file is a ransom note that is a message from Jope creators. In this message, the criminals report that the victim’s files are encrypted and there is only one way to decrypt them – buy the key and the decryptor from them. Attackers set the price for the key and decryptor at $980. If the victim pays the ransom within 72 hours, then Jope authors agree to make a discount of half the ransom, that is, reduce the size of the ransom to $490. Criminals offer to decrypt one file for free. To do this, the victim needs to send this file to one of the email addresses listed in the ransom demand message. But successful decryption of one file does not guarantee the possibility of decryption of files even after payment of the ransom.
Threat Summary
| Name | Jope ransomware |
| Type | File locker, Ransomware, Filecoder, Crypto virus, Crypto malware |
| Encrypted files extension | .jope |
| Ransom note | _readme.txt |
| Contact | helpdatarestore@firemail.cc, helpmanager@mail.ch |
| Ransom amount | $490/$980 in Bitcoins |
| Detection Names | Trojan.Win32.Generic.4!c, Win32:DropperX-gen [Drp], W32.AIDetectVM.malware2, Win32/Kryptik.HCLZ, Trojan-Ransom.Win32.Stop.lt, Trojan:Win32/Qbot.RL!MTB, Win32.Trojan.Stop.Hviw, BScope.Trojan.AET.281105 |
| Symptoms | Encrypted documents, photos and music. Your personal files now have a odd extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions. |
| Distribution ways | Spam or phishing emails that are designed to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected webpage and then malware is installed without the user’s knowledge). Social media, such as web-based instant messaging applications. Malvertising campaigns. |
| Removal | Jope removal guide |
| Decryption | Jope File Decrypt Tool |
In the ransom note, the Jope ransomware authors report that it is impossible to decrypt files without a key and a decryptor. In general, this is true; to decrypt .jope files, you must use the key and the decryptor. This is confirmed by the security researchers. As we reported at the very beginning of this article, there is a free “Jope File Decrypt Tool”, which in some cases can decrypt .jope files. In the case when it could not decrypt the files, there are several more methods, each of which can help the victim restore the files encrypted by Jope virus. These methods do not require the use of a key and decryptor, and therefore are suitable for all victims.
How to remove Jope ransomware, Recover, Decrypt .jope files for free
If you are a victim of ransomware, your files have been encrypted, then we recommend that you follow the simple steps described above. These steps will help you remove Jope ransomware virus, and decrypt .jope files that were affected by it. Moreover, we will also show you how to recover encrypted files if the decryption of the files was unsuccessful. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
- How to remove Jope ransomware virus
- How to decrypt .jope files
- How to restore .jope files
- How to protect your computer from Jope ransomware
How to remove Jope ransomware virus
The first thing you need to do before decrypting .jope files is to make sure that Jope ransomware virus is no longer active, as well as find all its components and remove them. An active ransomware is very dangerous because it can encrypt all files that were recovered during decryption. Therefore, you need to check your computer for ransomware and other malware. To do this, we recommend using free malware removal tools that will find Jope virus and remove it for free.
Remove Jope ransomware with Zemana
Zemana is a malware removal tool which is used for worms, adware, trojans, ransomware, malware, spyware and other security threats removal. This tool is one of the most efficient antimalware utilities. It helps in ransomware removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti Malware (ZAM) is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and scan your personal computer with Zemana in order to remove Jope ransomware from your personal computer.
Installing the Zemana Anti-Malware is simple. First you will need to download Zemana Anti Malware from the following link.
160287 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all windows on your PC system. Further, run the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up similar to the one below, press the “Yes” button.
It will show the “Setup wizard” which will allow you install Zemana Anti Malware (ZAM) on the personal computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Free will automatically run and you can see its main window as on the image below.
Next, click the “Scan” button . Zemana tool will begin scanning the whole PC system to find out the Jope ransomware, other malware, worms and trojans. A system scan may take anywhere from 5 to 30 minutes, depending on your computer. While the Zemana Anti Malware tool is checking, you can see number of objects it has identified as being infected by malware.
As the scanning ends, Zemana will prepare a list of unwanted apps and crypto malware. Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana will begin to remove Jope ransomware and other security threats. Once disinfection is finished, you may be prompted to reboot your system.
Run MalwareBytes Anti Malware to remove Jope virus
Remove Jope ransomware virus manually is difficult and often the ransomware is not fully removed. Therefore, we suggest you to use the MalwareBytes Anti-Malware which are fully clean your system. Moreover, this free program will help you to delete malicious software, PUPs, toolbars and adware software that your machine may be infected too.
Please go to the link below to download MalwareBytes. Save it to your Desktop so that you can access the file easily.
319457 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is complete, close all programs and windows on your computer. Double-click the setup file called mb3-setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes on your system. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, click Finish button. MalwareBytes Free will automatically start and you can see its main screen as shown in the following example.
Now press the “Scan Now” button to begin scanning your PC for the Jope ransomware virus, other kinds of potential threats such as malicious software and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your machine. While the MalwareBytes Free is checking, you can see number of objects it has identified either as being malware.
Once MalwareBytes Anti-Malware completes the scan, a list of all threats detected is produced. You can remove threats (move to Quarantine) by simply click “Quarantine Selected” button. The MalwareBytes Free will start to remove Jope virus and other security threats. When disinfection is finished, you may be prompted to reboot the PC system.
We recommend you look at the following video, which completely explains the process of using MalwareBytes to delete adware software, browser hijackers and other malicious software.
Remove Jope from computer with KVRT
Kaspersky virus removal tool (KVRT) is a free removal tool which can check your computer for a wide range of security threats such as ransomware, adware, spyware, PUPs, trojans, worms as well as other malware. It will perform a deep scan of the PC system including hard drives and MS Windows registry. After a malicious software is found, it will allow you to uninstall all detected threats from your personal computer with a simple click.
Download Kaspersky virus removal tool (KVRT) on your machine from the link below.
124985 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the KVRT screen like the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to look for the Jope ransomware. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is finished.
After the scan is complete, you can check all items detected on your computer as shown below.
When you are ready, click on Continue to start a cleaning task.
How to decrypt .jope files
To decrypt .jope files, you need to use a unique key and decryptor. Security researchers confirm that it is impossible to access the contents of encrypted files without decryption. Renaming the affected files, changing their extension cannot help the victim, the files will still remain encrypted. Fortunately, there is a free Jope File Decrypt Tool called STOP Djvu decryptor. In some cases, it can help decrypt .jope files.
Free Jope File Decrypt Tool (STOP Djvu decryptor)
To decrypt .jope files, use Jope File Decrypt Tool
- Download Jope File Decrypt Tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we have said several times, this decryptor can decrypt files only in some cases, when the files were encrypted with an ‘offline key’. If the files were encrypted with an ‘online key’, then they cannot be decrypted. The reason for this is that the decryption key is in the hands of criminals and this key can not be determined. But even in this case, there is a chance to restore the contents of encrypted files, we will talk about this in section “How to restore .jope files” of this article.
How to find out which key was used to encrypt files
Since Jope Decrypt Tool only decrypts files encrypted with the offline key, each Jope’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0218’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Jope virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Jope Decrypt Tool : No key for New Variant offline ID
If during decryption of .jope files the decryptor reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .jope files from time to time. You can also use alternative ways listed below for recovering encrypted data.
Jope Decrypt Tool : No key for New Variant online ID
If, when you try to decrypt .jope files, the decryptor reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Jope authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .jope files
If Jope Decrypt Tool did not help you, or your files are encrypted using an online key, then there is no need to panic! There are several other alternative methods that may allow you to restore the contents of encrypted files. Once again, remember to be sure to scan your computer for ransomware and malware using free malware removal tools. You must be sure that Jope ransomware is completely removed.
Use shadow copies to restore .jope files
First of all, try to recover .jope files from Shadow Volume Copies, which are automatically created by Windows OS. In order to recover photos, documents and music encrypted by Jope ransomware from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend using this free utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if Shadow Explorer cannot help you, then immediately proceed to the second method, which is given below.
Visit the following page to download the latest version of ShadowExplorer for Windows. Save it on your Desktop.
422138 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Double click ShadowExplorerPortable to run it. You will see the a window as shown on the image below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed in the figure below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Restore .jope files with PhotoRec
Another alternative way to recover .jope files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To restore .jope files, use a free tool called Photo Rec. It has a simple interface and does not require installation.
Download PhotoRec from the link below. Save it on your Microsoft Windows desktop.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as shown on the image below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your computer from Jope ransomware
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
After the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is started, you’ll be displayed a window where you can choose a level of protection, as shown below.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Jope ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .jope files; how to recover files, if Jope Decrypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Jope related issues, go to here.
Extremely helpful. The guide is very informative and has tremendously helped me in decrypting infected files. The shadow explorer tool is mind blowing and it worked efficiently to restore and recover all my files and folders.
Thank you very much..This certainly will be useful for all ransomware infected pc,s.