Remove STOP/DJVU Ransomware Virus (2021 Guide Update)

STOP DJVU Ransomware has become a known terror for a while now. Its 2021 and this virus is still at its peak. It has infected millions of computers world wide and cause panic. Read this guide know more about the origin, spreading and ultimately removal of this nasty virus. Also learn how to recover your files without paying ransom money to hackers.

STOP/DJVU Ransomware is a terrible piece of malware which has made its name in last couple of years. It is known by various different names such STOP Ransomware, STOP/DJVU or DJVU virus. With more than 270 active variant, it is clearly the most active crypto virus right now. It was first first observed on October 21, 2017 and modified its operation in 2018 but it came into popularity in 2019, after which it kept growing. It has probably most infection and extortion rate than any other Ransomware infections.

STOP/DJVU Ransomware

STOP/DJVU has more than 270 variants. It encrypt files on infected PC and force users to pay huge ransom money ($490-$980 USD).

After almost two years on its origin, STOP DJVU Ransomware is still not fully decryptable. Many security analyst are working tirelessly to break the encryption, but hackers always modify their codes.

STOP/DJVU Ransomware uses RSA and AES cryptographic algorithms to encrypt files on infected computers. It is not easy to decrypt such type of encoding without knowing the decryption code. But the thing is, hackers keep releasing new variants so frequently that finding one key is not going to make any difference.

If your system get infected by STOP/DJVU Ransomware, a ransom note “_Readme.txt” is placed on your system after successful encryption. This virus uses different extensions to attack computers. It add its own extension after the file names after encoding. To access any of the encrypted files, you will need the decryption code. STOP Ransomware then charge hefty amount for that decryption key.

Technical Details of  STOP/DJVU Ransomware

STOP DJVU Ransomware is a File Encryption ransomware type Trojan malware. At first its used the .STOP/DJVU extension to encrypted files on infected computers. After silent intrusion on the victim’s PC, this dubious threat will block the all of the files stored on that machine by encrypting them. Later it drops the ransom note on that system to notify user about the encrypted and demand ransom money to decrypt files.

At early phases STOP/Djvu Ransomware used (.STOP, .SUSPENDED, .WAITING, .PAUSA, .PUMA, .CONTACTUS, .DATASTOP, .STOPDATA) extension and then as the time passed, itstarted suing new extensions.

STOP Ransomware will leave ransom notes like !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt.

Now newer versions of Djvu virus are leaving ransom notes named _openme.txt, _open_.txt or _readme.txt on the infected computer.

This ransomware infection also change the files after encryption by adding its own extension such as “.STOP/DJVU” extension. For an example, if a file named “1.jpg” get encrypted by this malware then it will get changed into “1.jpg.STOP/DJVU” and so on. Now if the users wants to access this files, they have to buy decryption key from the hackers.

STOP/DJVU Ransomware can encrypt all types of file formats mostly stored on Windows PC like images, documents, videos, audio and others. This notorious threat is also able to encrypt compressed files also. If users keep their files encrypted then this virus and encode them too. Dual encryption is also very common among ransomware threats like, if your files are encrypted by Dharma Ransomware then still STOP Ransomware scan encrypt your data.

Price of decryption set by STOP Djvu creators is $490 USD but it will get doubled i.e. $980 USD,  if users don’t pay the ransom amount within 72 hours of encryption.

STOP/Djvu Ransomware family releases new variant frequently (weekly) and each infection uses different unique ID, so they need different decryption to unlock files. This is why there is not a free decryption tool of this malware has been created that can unlock all the files efficiently.

STOP/Djvu Ransomware known contact emails

The victim of this STOP Ransomware are advised by cybercriminals to contact on their email address to further assistance with ransom payment and get decryption codes. Hackers behind this infection also keep changing their contact information regularly. Some of the currently known email addresses associated to STOP/Djvu virus family are:

  • gorentos@bitmessage.ch
  • gorentos2@firewall.cc
  • helpshadow@india.com
  • restoredjvu@firemail.cc
  • pdfhelp@india.com
  • salesrestoresoftware@firemail.cc
  • salesrestoresoftware@gmail.com
  • restorefiles@firemail.cc
  • datarestorehelp@firemail.cc
  • datahelp@iran.ir
  • helpmanager@firemail.cc
  • helpmanager@iran.ir
  • restoredjvu@india.com
  • helpdatarestore@firemail.cc
  • helpmanager@mail.ch
  • restoreadmin@firemail.cc
  • restoremanager@airmail.cc

How STOP/Djvu Ransomware infect your PC

Like any other malware, this nasty ransomware infection also spread through various different methods. You can get this virus on your computer by downloading and installing bundled freeware programs. Various fake (.exe) are also used to deliver this threats on targeted computer which delete itself after installation of the malware. Downloading pirated contents for torrent or other deceptive sources could bring infected files on your PC which packs STOP/Djvu infection and install it silently.

This notorious malware can also spread through malicious script hosted by suspicious sites. Clicking on misleading ads, pop-ups, banners, fake alerts, push notifications, banners etc. can cause frequent redirection of your browser on such sites. Apart from that, browsing to porn sites or sharing files on unsafe network could also be the reason of this infection. Many Trojan viruses are also used to deliver this STOP/DJVU Ransomware on targeted computers.

More about origin and detection of this infection

As you know STOP/DJVU virus was created in 2017 but it was first detected in 2018 by a famous malware researcher Michael Gillespie, he is started to follow this infection ever since. He also developed a decryption key which could help with some of the earlier variant of this infection. That tool was named as STOPDecryptor and was only able to help with online key. We will discuss this tool and extensions it supports later in this article.

Meanwhile, this malware became pretty well known in 2019 and started making various changes to its codes. This why the free decryptor tool failed to help users. Every week new extension with different ID and new decryption key made it hard to find any permanent solution for this malware.

File extensions identifying STOP/DJVU ransomware infection

There is a list of all the known extension of this nasty ransomware infection. There are currently more than 250 different variants of this infection and list is still growing :

STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT,.djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad, .promorad2, .kroput, .kroput1, .charck, .pulsar1, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .browec, .norvas, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, ,vesad, .horon, .neras, .dalle, .lotep, .nusar, .litar, .truke, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, prandel, .zatrov, .masok, .ndarod, .access, .format, .brusaf, londec, .krusop, .nasoh, .nacro, .pedro, .mtogas, .coharos, .nuksus, .vesrato, .masodas, .stare, .cetori, .carote, .shariz, .gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .kuub, .noos, .reco, .xoza, .bora, .leto, .werd, .nols, .coot, .derp, .nakw, .toec, .mosk, .lokf, .peet, .grod, .kodg, .mbed, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .nbes, .mkos, .redl, .piny, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal, .sqpc, .mzlq, .koti, .covm, .pezi, .zipe, .nlah, .kkll, .zwer, .nypd, .usam, .tabe, .vawe, .moba, .pykw, .zida, .maas, .repl, .kuus, .erif, .kook, .nile, .oonnl .vari, .boop, .nord, .geno, .kasp, .ogdo, .npph, .kolz, .copa, lyli, .moss, .foqe, .mmpa, .efji, .nypg, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .atek, .qlkm, .coos, .wbxd, .pola, .plam, .cosd and others.

Online & offline keys – What does it mean?

OFFLINE KEY – When the STOP Ransomware infects your PC, and it is not connected to Internet, then this viruses encrypt your files in offline mode. It uses a predefined set of decryption key and due this those files were comparatively easy to decrypt. Once that key is discovered, it can be added to the decryptor and files could be decrypted.

ONLINE KEY – When the STOP Ransomware infects your PC, and it is connected to Internet, it establishes a connection to remote server and generate a new Key and ID. This type of is key is different for every infection and every computer, so there is no way to find it out. File encrypted by such cannot be decrypted without buying the key

About Stop Decryptor (Free tool that doesn’t work now)

Michael Gillespie created a free tool to decrypt files infected by STOP/Djvu Ransomware. It only supported the offline key. These keys were gathered by the victims who paid the ransom money to decrypt their files. Then those key were added to the free decryptor and it worked for a while. But then hackers decided to make major modifications into their malware and this system stopped working.

STOP/Djvu can be divided in to two versions now :

1. Old Version : Most of the older extensions of STOP/Djvu virus, starting with .djvu (v013) up to .carote (v154) was previously decryptable by STOPDecrypter (not available any more) but only for the OFFLINE KEY. When the support for STOPDecrypter has been terminated then the new EmsisoftDecryptor took the place of it. But it is still limited with the offline keys. A list of all the older versions are listed below :

.STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad,.promorad2, .kroput, .kroput1, .charck, .pulsar1, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .forasom, .berost, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato. .masodas, .stare, .cetori or .carote

2. New Version : These are the variants released after August 2019, after cybercriminals made changes. These new extensions were never supported by STOPDecrypter. However, some of the offline keys for these newer variants were obtained by Emsisoft by the help of some victim paid the ransom. Online keys are completely unique for each victim and cannot help multiple victims so they were never supported by Emsisoft decryptor. A list of all the new extensions are listed below:

.coharos, .nuksus, .vesrato, .masodas, .stare, .cetori, .carote, .shariz, .gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .kuub, .noos, .reco, .xoza, .bora, .leto, .werd, .nols, .coot, .derp, .nakw, .toec, .mosk, .lokf, .peet, .grod, .kodg, .mbed, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .nbes, .mkos, .redl, .piny, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal, .sqpc, .mzlq, .koti, .covm, .pezi, .zipe, .nlah, .kkll, .zwer, .nypd, .usam, .tabe, .vawe, .moba, .pykw, .zida, .maas, .repl, .kuus, .erif, .kook, .nile, .oonnl .vari, .boop, .nord, .geno, .kasp, .ogdo, .npph, .kolz, .copa, lyli, .moss, .foqe, .mmpa, .efji, .nypg, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .atek, .qlkm, .coos, .wbxd, .pola, .plam, .cosd and others.

Ransom Note left by the STOP/DJVU Ransomware

As you know this malware likes to drop notes on the infected PC to inform users about the encryption and demand ransom note. The content of the note are always the same but the email address often keep changing. Take a look at the text of the ransom note “_Readme.txt” left of the victims’ computer:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

How to deal STOP/DJVU Ransomware

As if your computer is infected by this virus, then all your files are completely inaccessible. All the new versions are not decryptable so don’t hold your breath for any free solution here. But you need to make sure that you remove this infection completely from your PC. Removing STOP/Djvu Ransomware could be very hard so you might want to use a Powerful Anti-malware Tool to delete this infection.

Don’t try to format or reinstall your Windows to get rid of this infection because then you can never recover your files. You might want to make a backup of your encrypted files and store them on any external hard drive or cloud drive for safe keeping. After removing the virus, you can try the free decryption tool or you may purchase a Good Data Recovery Software and scan your system for files.

Actually STOP/Djvu Ransomware delete the temp files and shadow files from your PC before encryption. A good Data Recovery Software may help you find those shadow files and temp files or any other previously deleted files. By this method you can recover most of your files without paying ransom money to hackers.

Automatic STOP/DJVU Ransomware Removal Guide

As you already know that, STOP/DJVU Ransomware Virus is a notorious and cunning malware which is not hard to remove easily by any user through manual means. This virus can keep coming back on the infected computer through files and shortcuts or settings that it has already created on your machine. Removing all those at once is the only way to get rid of this infection and stop it from getting on your system ever again.

So the best way to remove STOP/DJVU Ransomware effectively is to use a powerful Automatic Removal Tool and save your time and efforts. This software is a well trusted and very powerful anti-malware program which can detect all hidden threats like Trojan, Ransomware, Worms, Spyware, Rootkits and many others. It also provides 24X7 customer support and one-on-one Spyware HelpDesk support for Custom Malware removal. Advanced System Guard feature detects and remove threats in real time. It has a very User-Friendly Interface and regular Malware updates make it most effective against latest malware attacks.

How SpyHunter 5 Anti-Malware Works

  • First you need to click on below download button to get the software.

Geek’s Recommendation

Some time threats like STOP/DJVU Ransomware keep getting back on the machine, if all associated files are not removed. So you are advised to use a powerful Malware Removal Tool to run a thorough scan of your PC and delete all threats at once.

SpyHunter 5 Anti-Malware allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read SpyHunter 5 Review, EULA and Privacy Policy

  • Then double-click on installer you downloaded to install the program.

double clickAllow access

  • Launch Anti-Malware application and Start Scan Now of your PC.

Scan for STOP/DJVU Ransomware

  • Software will scan your PC all hidden threats and viruses on your system.

Scan for STOP/DJVU Ransomware

  • Click on Next button to see results and delete STOP/DJVU Ransomware and other threats.

Remove STOP/DJVU Ransomware

How To Recover Your Encrypted Files

Now, as all your files got encrypted by STOP/DJVU Virus and you need to recover your data without paying ransom money to hackers. If your files are important then you must have created backup and you can use that backup to recover your files. If you don’t have backup or this virus has encrypted your backup files, then you are left to seek the professional help.

We recommend you to use a powerful data recovery software to restore your files encrypted STOP/DJVU Ransomware. It is risk free and smart way. You can just download the free version and scan your PC for files. There is a high probability that it can recover most of your files in a fraction of amount what hackers are demanding. It is also needless to say that paying hackers will only motivate hackers to carry out more attacks.

  • First you need to download Data Recovery software on your PC.

Download Data Recovery Software Now

  • Install the program, launch it then select Data type to recover and click Next button.

select Data type

  • Select the location from where you want to recover data and click Scan button.

Select location

  • After scan, software will list all files, select them and click Recover button.

Recover STOP/DJVU Ransomware encrypted files

Tips To Prevent STOP/DJVU Ransomware in Future

  • Use a good anti-virus, be it a free version but don’t use cracked security programs.
  • Make sure that your Windows firewall is active, so it can block upcoming threats.
  • Keep your Windows OS and other programs updated to avoid vulnerabilities.
  • Download updates only from official websites, don’t use suspicious sites.
  • Never download and install pirated software, games or illegal patches on your PC.
  • Do not open spam mails from unknown sender and scan all attachments before opening.
  • Never download freeware third-party programs from unreliable sources or websites.
  • Avoid connecting your PC to unsafe public Wi-Fi to protect your privacy.
  • You can also use a VPN to spoof your connection and avoid malicious sites.
  • Create a system restore point on your system for security purpose.
  • Keep backup of all your important files to avoid data loss.

Report cyber attack to Authorities

If you are also a Victim of STOP/DJVU Ransomware virus then you should report this cyber crime incident to legal authority in your county. Here are the lit of some of the official government websites for reporting fraud and scam activities:

You can also search to find the Internet Crime Authority in your counter. Meanwhile it will not help you remove or restore your files in any way but its merely an information to authorities. However don’t lured by third party criminal reporting sites or fake technical support websites. They are more like to cheat you instead of helping you.

tip Still having issues? Need help?

Some time threats like STOP/DJVU Ransomware keep getting back on the machine, if all associated files are not removed. So you are advised to use a powerful Malware Removal Tool to run a thorough scan of your PC and delete all threats at once.

SpyHunter 5 Anti-Malware allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read SpyHunter 5 Review, EULA and Privacy Policy

Bottom Line

Stop/Djvu is a dangerous Ransomware infection with lots of different variant. It is possible to recover your PC from this infection and you may get back most of your files if not all. So, if you liked the information then please share this article with others. Keep visiting for more interesting information. If you need any help or suggestions then write to us in comment box . We like hearing from you.

About the author

Robert Calvert

Robert is the Chief Security Expert and Founder of PCSafetyGeek.com website. He is a cybersecurity enthusiast who loves to research about Malware outbreaks and write about their remedies. He also like to spend time trying new software, reviewing them and sharing IT news. However he is a real coffee lover and likes to play chess in spare time (which is quite rare 😜).

Leave a Comment