STOP Djvu Ransomware

STOP Djvu Ransomware Description

STOP Djvu Ransomware ScreenshotThe STOP Ransomware family, also denominated the STOP Djvu Ransomware family, is a threatening piece of malware. The STOP Djvu is just one of the multiple threats that share common characteristics and originate from the STOP ransomware, even though some of their methods to affect file types and encrypt file extensions differ.

The original STOP Ransomware was spotted by security researchers as early as February 2018. However, since then it has evolved, and its family of clones and offshoots has grown. The primary method of distribution of the STOP ransomware was spam email campaigns using corrupted attachments.

The STOP Djvu Ransomware performs in a way similar to other ransomware threats of its kind, encrypting and blocking access to key files users may be utilizing in their system. Personal files, pictures, documents and more can be encrypted and essentially disabled for all users on the machine. STOP Djvu Ransomware was first spotted back in December 2018 in what appeared to be a pretty successful campaign of infection online. Researchers were unaware of the way the ransomware spread, but later victims reported they were discovering infections after they were downloading keygens or cracks. Once the infiltration occurs, STOP Djvu ransomware changes the Windows settings, appending files with a range of names, such as .djvu, .djvus, .djvuu, .uudjvu, .udjvu or .djvuq and the recent .promorad and .promock extensions. The newer versions don't have a decryptor yet, but the older ones can be decrypted using the STOPDecrypter. Users are advised to avoid paying any ransom, no matter what.

The method used to block access to the files uses the RSA encryption algorithm. Although the decryption of the files may seem hard for inexperienced users, there is definitely no need to make any effort to pay the people behind the threat. False promises are usually given in such situations, so users may quickly find out they are ignored once payments were made.

Attacks of the STOP Djvu Ransomware were first reported in late 2018. The main method of distribution for the STOP Djvu remained spam emails and tweaks to the core of the ransomware were relatively minor. The majority of fake, compromised attachments used in the spam emails were macro-enabled office documents or fake PDF files that would run the ransomware without the victim's knowledge. The behavior of the STOP Djvu has not changed much either - the ransomware still deleting all the Shadow Volume snapshots to get rid of backups, then starts encrypting the victim's files.

There are minor changes to the ransom note, which is saved as '_openme.txt' to the victim's desktop. The text of the ransom note can be found here:

’[ransom note start]

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.


To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID: [string]
[ransom note end]’

The ransomware limited itself to renaming the encrypted files with the .djvu extension originally, which was a curious choice because .djvu is actually a legitimate file format developed by the AT&T Labs and used for storing scanned documents, somewhat similar to the Adobe's .pdf. Later versions of the ransomware adopted a series of other extensions for encrypted files, including '.chech,' '.luceq,' '.kroput1,' '.charck,' '.kropun,,' .luces,' '.pulsar1,' '.uudjvu,' '.djvur,’ '.tfude,' '.tfudeq' and '.tfudet'.

Certain strains of the STOP Djvu ransomware can be decrypted for free, using the so-called 'STOPDecrypter' that was developed by the security researcher Michael Gillespie and is available online as a free download.

Technical Information

Screenshots & Other Imagery

STOP Djvu Ransomware Screenshots

stop djvu ransomware note


  • iki:

    file saya kena virus ransomware ini gimna mengembalikan nya gimna solusi nya

    • GoldSparrow:

      Unfortunately, there is no tool in existence that can decrypt the files. It is best that you first eliminate the STOP Djvu Ransomware using an antimalware resource and then utilize your most recent backup to restore the encrypted files.

  • Pramod Verma:

    my all data infected by .lokf virus
    can spyhunter5 remove it
    please help me

    • GoldSparrow:

      Yes, SpyHunter can automatically detect and remove the virus/ransomware.

  • gian:


  • Mahiraj:

    I have been attacked by .igal virus which is from the STOP/DJVU family. please help me!!. I also noticed that my files are encypted with a newer and online key. that makes it difficuilt to decrypt but There MUST some way!! please, IT's only 58GB of data .

  • JESUS:



    my laptop got affected by nusm ransome can spyhunter able to remove it ? and if yes then how i will get my files back . if you can help me i will buy your software

  • jose:

    hola mi equipo fue afectado por el virus con la extension zqqw, quiero saber si su producto puede eliminar el ransomware y deencriptar mis archivos, gracias

  • Shane:

    my laptop affected .gujd ramsonware..i had fully deleted the virus but my files is encrypted

  • Rey Eduard Umel:

    My files are infected just today 07 August 2021 with online password Stop Djvu Ransomware. all files converted to .NOOA files. Please help.

  • Ahad Mehmood:

    Hi I got this virus of REQG and my each file got encrypted, what should I do now. I am really depressped please guide me