Hi this is Deepu, my laptop is attacked by DJVU ransomware, .ehiz file extension, can someone help me

Status
Not open for further replies.

Deepu

New Member
May 25, 2021
9
this is Deepu, my laptop is attacked by DJVU ransomware, .ehiz file extension, can someone help me,all my files are encrypted
 

Attachments

  • Screenshot (1216).png
    Screenshot (1216).png
    219.1 KB · Views: 15
  • Like
Reactions: Snehin_02

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
Hello Deepu

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Your system has been infected by STOP/DJVU ransomware. STOP/DJVU ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt files.

Please try this decrypter by Emsisoft: Emsisoft Decryptor for STOP Djvu
It will only work for STOP ransomware with an offline key, though.
 

Deepu

New Member
May 25, 2021
9
Error: No key for New Variant online ID: fmAzdmJBkL2ONSZp6mAfgl6eBaTxQ1G2WSHqZfbC
Notice: this ID appears to be an online ID, decryption is impossible
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
That means your variant is not decryptable.
Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you need help for the steps 1) or 2)
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
1. Shadow Explorer
  • Make sure the correct drive letter is selected (usually "C:" )
  • There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
  • Within Shadow Explorer, navigate to files or folders you want to recover
  • To recover: Right-click and click Export... then choose a folder to save the files to and click OK
Let me know if this works.
 

Deepu

New Member
May 25, 2021
9
there is no option available, and i am not able to navigate in it
 

Attachments

  • Screenshot (1222).png
    Screenshot (1222).png
    210 KB · Views: 14

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
That means you have no shadow volume copies. Ransomware often deletes them. You cannot recover with Shadow Explorer in this case.

If you haven't tried already, see if you have success with any of the following:

1. File Recovery Software
  • Please download PhotoRec, choose Windows 64-bit from that list.
  • Right-click on the testdisk-7.1.win64.zip archive and click Extract all.
  • Now navigate into the extracted folder and run qphotorec_win.exe
  • Select your Hard Disk from the list.
  • Make sure that FAT/NTFS/HFS+/ReiserFS is selected
  • Choose a destination for your recovered files by clicking on the "Browse" button
  • Now click "Search" and the tool will start recovering. Wait for it to finish, then click Quit
You will find recovered files in the selected destination folder.
If you had any external drives encrypted, you may try the same on them.

2. File Repair

The tool can repair 6 file types: MP3, WAV, MP4, MOV, M4V, 3GP
If you have such files encrypted by STOP ransomware, download and run MediaRepair.

For most file types, you need a reference file, that is a non-encrypted file of the same file format as the encrypted ones. Video files will need this reference file. File types like MP3 do not need one.
  1. Run MediaRepair.
  2. Select a file type
  3. Navigate to the folder with your encrypted files.
  4. Now select one of your encrypted files and click on the Test
    television_test.png
    button
    to check if the file can be repaired (see image below to find the button)
    • Note: If the program tells you at this point that it cannot repair these files, abort and continue with another file type.
  5. Now select a reference file that is not encrypted and has the same file type and click on the Select Reference
    folder_video.png
    button (see image below).
    • Note: If you have several reference files, prefer the smallest.
  6. Select the encrypted files you want to repair and click on the Play
    control.png
    button (below the file types) to start repair.
  7. Now wait for the program to finish.
  8. Navigate to your encryped files, you should find a folder named FIXED in there. This folder contains your repaired files.
Please report back to me when you are done.
media_repair_btns.png
 
Status
Not open for further replies.
Top