STOP Djvu ransomware with .wrui file extension
You are dealing with a new variant of STOP (Djvu) Ransomware as explained here through Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero), malware developers have been consistent in using 4 letter extensions.
Please read the first page (Post # 1) of the STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) And these Faq for a summary of this infection, these are variants, updates and possible decryption solutions using the Emsisoft decryptor.
As it concerns new variants of STOP (Djvu) Ransomware… data decryption requires a OFFLINE ID with the corresponding private key. There is no longer a simple method of obtaining a private key for many of these newer variants and no way to decrypt files if infected with ONLINE KEY without paying ransom (which is not recommended) and obtain the private keys of the criminals who created the ransomware. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim PAID the ransom, receives a key, and provides it to them.
In case of infection by an ONLINE KEY, decryption is impossible without the victim’s specific private key. ONLINE KEYS are unique for each victim and securely randomly generated with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with ONLINE KEY due to the type of encryption used by criminals and there is no way to access the criminal’s command server and retrieve this KEY. ONLINE ID for the new STOP variants (Djvu) are Unsupported speak Emsisoft decryptor
The Emsisoft decryptor will also tell you if your files are decryptable, if you are dealing with an “old” or “new” variant of STOP / Djvu, and if your username is ONLINE or OFFLINE.
Emsisoft has obtained and uploaded to its server OFFLINE credentials for many (but not at all) new STOP variants (Djvu) as noted in Message # 9297 and elsewhere in the support section.
** If there is no OFFLINE ID for the variant you treat, we cannot help you unless a private key is retrieved and provided to Emsisoft. When and if the private key of a new variant is obtained, it will be transmitted to the Emsisoft server and automatically added to the decryptor. Subsequently, all files encrypted by the OFFLINE KEY for this variant can be recovered using the Emsisoft decryptor. For now, the only other alternative to paying the ransom is to save / save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE identifier.
There is no timeline for when or if a private key for an OFFLINE ID will be retrieved and shared with Emsisoft and no announcement by Emsisoft when they are restored Due to victim confidentiality. This means that victims should continue to read the support section for updates or run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft was able to obtain and add the private key for the specific variant that encrypted your data.
** If an OFFLINE ID is available for the variant you are dealing with and your files have not been decrypted by Emsisoft Decryptor, then you have probably been encrypted by an ONLINE KEY and these files are non-recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. In the event of infection with an ONLINE ID, the Emsisoft decryptor will indicate this fact under the Results tab and note that the variant is impossible to decrypt.
You must post all questions in the support topic above. If you have followed these instructions and need further assistance, you should still seek help with that support topic.
If you need individual assistance ONLY to remove malware infection, (no decryption of your data) please follow the instructions in the Journal section malware removal and preparation guide. When you’ve done that, start a new topic and post your FRST logs in the Virus, Trojans, Spyware and Malware Removal Logs Forum, Not here, for assistance from the Malware Response Team.
Rather than having everyone with individual topics and to avoid unnecessary confusion, this topic is closed.
British Columbia staff