STOP/DJVU family ransomware - JPEG and RAW photos
Posted: Thu Apr 23, 2020 11:08 am
STOP/DJVU seems to be rather widespread, mainly in Asia (judging by the number of requests for I get from that region).
I discovered by accident that I can repair JPEGs affected by this ransomware. After some modifications to my software most RAW photos too. Key factor is that the ransomware only encrypts the first 150 KB or so of the file.
Video is repairable too using one of the many tools that are able to repair MP4/MOV type videos by applying a header to the corrupt file.
Currently the STOP/DJVU decrypter supports 148 variants of this ransomware (https://www.bleepingcomputer.com/forums ... ort-topic/). Pre-requisite is that files are off-line encrypted.
So, in cases where decryption fails JPEG-Repair can be used to repair individual JPEG and RAW photos with some degradation to quality. In case JPEGs embed restart markers, original color can be fully restored too. JPEG-Repair can not batch this, each file requires manual intervention.
In this example JPEG-Repair glued a header on top of a corrupt JPEG. Part of it's standard routine is stripping from byte sequences that are invalid JPEG markers and as a result the data can now be decoded. You can clearly see the corrupt/encrypted portion of the file at the top of the image. Now you can cut corrupt bytes from the file and re-align the image using stuff bytes as shown in this video: https://youtu.be/aiLofQEPoEs.
I discovered by accident that I can repair JPEGs affected by this ransomware. After some modifications to my software most RAW photos too. Key factor is that the ransomware only encrypts the first 150 KB or so of the file.
Video is repairable too using one of the many tools that are able to repair MP4/MOV type videos by applying a header to the corrupt file.
Currently the STOP/DJVU decrypter supports 148 variants of this ransomware (https://www.bleepingcomputer.com/forums ... ort-topic/). Pre-requisite is that files are off-line encrypted.
So, in cases where decryption fails JPEG-Repair can be used to repair individual JPEG and RAW photos with some degradation to quality. In case JPEGs embed restart markers, original color can be fully restored too. JPEG-Repair can not batch this, each file requires manual intervention.
In this example JPEG-Repair glued a header on top of a corrupt JPEG. Part of it's standard routine is stripping from byte sequences that are invalid JPEG markers and as a result the data can now be decoded. You can clearly see the corrupt/encrypted portion of the file at the top of the image. Now you can cut corrupt bytes from the file and re-align the image using stuff bytes as shown in this video: https://youtu.be/aiLofQEPoEs.
- 2020-01-03 (1).jpg (78.89 KiB) Viewed 19209 times