Djvu Ransomware

Also Known As: Djvu virus
Distribution: Moderate
Damage level: Severe

Djvu ransomware removal instructions

What is Djvu?

Djvu is a high-risk virus that belongs to STOP malware family. It was firstly discovered by Michael Gillespie. It is categorized as ransomware and designed to lock (encrypt) files using a cryptography algorithm. Djvu renames each encrypted file by adding the ".djvu" or ".djvu*" extension (updated variants of this ransomware use ".djvuu", ".udjvu", ".djvuq", ".uudjvu", ".djvus", ".djuvt", ".djvur", and ".DJVUT" extensions for encrypted files). For example, "1.jpg" becomes "1.jpg.djvu" or "1.jpg.djvu*". All Djvu victims are provided with a ransom-demand message in a "_openme.txt" text file.

According to the ransom message created by Djvu's developers, all files (photos, documents, databases, documents, and so on) were encrypted using a strong encryption algorithm. To retrieve them, victims are encouraged to purchase a decryption tool (in effect, pay a ransom). They provide two email addresses ( and, one of which should be used when contacting Djvu's developers. They also assign a personal ID to be used in the email subject so that cyber criminals can identify individual victims. When contacted, they are likely to provide a Bitcoin (or other cryptocurrency) wallet for transfer of the ransom payment. According to ransomware developers, they will provide a 50% discount for victims who contact them within 72 hours following encryption. Furthermore, they offer free decryption of one file as 'proof' that they are capable of decryption and can be trusted. Cyber criminals behind this malicious program also warn victims against using other decryption tools, since this will supposedly cause permanent data loss. Typically, people who design these infections use cryptographies that generate unique keys and often store them on remote servers controlled by them. Therefore, only Djvu's developers can provide victims with decryption tools/keys. This ransomware is thus 'uncrackable' and there are no tools currently capable of decryption free of charge. Note that, in any case, most cyber criminals cannot be trusted. They do not provide decryption keys/tools even if their ransom demands are met. In these cases, the only free way to restore files is to use an existing data backup.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

Djvu decrypt instructions

This ransomware-type virus is very similar to .shadow (the ransom-demand message is identical), however, other infections of this type (such as .SYS and Mercury) are also very similar. Most ransomware viruses are designed to encrypt data and make ransom demands. The only differences are the cryptography algorithm (symmetric or asymmetric) used to encrypt the files and cost of a decryption key or tool. Unfortunately, decryption without involvement of certain ransomware developers is impossible, unless the program is still in development or contains bugs/flaws. To avoid data loss caused by these viruses, maintain regular backups and store them on remote servers or unplugged storage devices.

How did ransomware infect my computer?

There are several common ways to proliferate ransomware-type programs such as Djvu, however, it is unknown exactly how cyber criminals proliferate this particular infection. Typically, ransomware developers distribute malware through untrustworthy software download sources, fake (unofficial) software updaters, spam email campaigns, and malicious programs such as trojans. Some examples of untrustworthy software download sources are: peer-to-peer networks (such as torrent clients, eMule), freeware download websites, file hosting websites, various unofficial websites, and so on. By using these sources, cyber criminals present their malicious programs as legitimate and trick people into downloading and installing high-risk infections (or other unwanted apps). Unofficial software update tools (fake updaters) are used to download and install malicious programs rather than the expected/promised software updates. These tools are capable of exploiting bugs/flaws of outdated software. Spam email campaigns are used to trick people into downloading and opening the presented malicious attachments or opening web links that lead to unwanted software downloads and/or installations. These attachments are often MS Office documents (such as Word, Excel, etc.), archive files (ZIP, RAR, etc.), PDF documents, executable (.exe) files, and so on. Trojans are malicious programs that, when installed, cause chain infections (proliferate other infections).

Threat Summary:
Name Djvu virus
Threat Type Ransomware, Crypto Virus, Files locker
Symptoms Can't open files stored on your computer, previously functional files now have a different extension, for example my.docx.locked. A ransom demanding message is displayed on your desktop. Cyber criminals are asking to pay a ransom (usually in bitcoins) to unlock your files.
Distribution methods Infected email attachments (macros), torrent websites, malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom. Additional password stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
▼ Download Malwarebytes
To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

How to protect yourself from ransomware infections?

To avoid ransomware-type infections (and other threats), carefully study each received email, especially if it contains attachment. If the email seems irrelevant (does not concern you), or is sent from an unknown/suspicious address, do not download or open the attachment, or any web link. Use official software update tools only - implemented functions or updaters provided by official software developers. Any other (unofficial) updaters/tools should not be trusted. Download apps, files (software) using official websites (or other official sources). Do not use third party channels, since they are often used to distribute various rogue downloaders/installers or even malware. Have a reputable anti-virus or anti-spyware suite installed and active. These tools deal with various threats and computer infections, and often detect and eliminate them before any damage is done. If your computer is already infected with Djvu, we recommend running a scan with Malwarebytes for Windows to automatically eliminate this ransomware.

Text presented in Djvu ransomware text file ("_openme.txt"):

------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.


To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Screenshot of files encrypted by Djvu (".djvu" extension):

Files encrypted by Djvu

Update January 2, 2019 - There have recently been a number of reports of users stating that their computers have been infected with Djvu ransomware after downloading KMSpico Windows cracking tool from officialkmspico(.)com website. Most of software cracking tools are malicious and fake - they're used to spread malware rather than giving any real value. What's more, many users do not realize that using software cracks is considered a theft, since you bypass the activation and avoid paying for the actual software developer. It doesn't matter if it's an operating system or any other program - you should never use pirated software.

Update January 17, 2019 - Michael Gillespie has updated his STOPDecrypter which is now capable of restoring data with the following extensions: ".djvu", ".djvuq", ".djvur", ".djvut", ".djvuu", ".pdff", ".tfude", ".tfudeq", ".tro", ".udjvu", ".tfudet". You can download the decrypter by clicking this link.

Screenshot of the STOPDecrypter:

STOPDecrypter by Michael Gillespie

However, as Michael himself says, there are some notes that must be taken,

This decrypter currently only works for personal ID 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 (the offline key used if the malware failed to get a key from its server), or if you have the key.

If you were provided a key by kNN or myself, you may enter it via the Settings -> Set Djvu Key option; note that entering anything incorrect to this will destroy data, so don't try to be "clever". For "Personal ID", it will accept either the 40 character string at the end of files (not the one in braces, the string just before that), or the 43 character string in the ransom note. The bruteforcer will also explicitly reject this variant, as there is no way of bruteforcing the key at the present time; so don't even waste your time trying to fool it (the feature is for the .puma* variants, and isn't really a "bruteforce" anyways).

The decrypter will only attempt to decrypt a file with a known ID (either the hardcoded one or one you provide with a key); any others will be reported and logged, with instructions to archive it in hopes of future decryption.

If the decrypter detects IDs it could not decrypt, it will display them, along with your MAC addresses for easy archiving (assuming it is ran from the infected PC). It is also logged for you.

Update June 8, 2020 - The Djvu ransomware family continues to remain as one of the most popular ransomware infection. Every week a new variant of Djvu is released, meaning that there are thousands of victims who seek for help. We have recently discovered a fake Djvu ransomware decrypter, which disguises yet another ransomware called ZORAB. Once the malicious file is executed, a fake decryption window is displayed. However, this is a mere disguise - the ZORAB encryption process starts the moment malicious executable is opened. Victims will notice an additional extension (".ZRB") as well as another ransom note ("--DECRYPT--ZORAB.txt"). Using a fake decryption tool to inject a second ransomware is rather uncommon, since encrypted files are already unusable and victims are very unlikely to pay twice (for both Djvu and ZORAB ransomwares' developers). Nonetheless, hiding malware under a fake Djvu decryption is efficient due to this ransomware's popularity.

Screenshot of the fake Djvu ransomware decryptor designed to inject ZORAB ransomware into the system (VirusTotal detection list):

Fake Djvu decryptor injecting ZORAB ransomware

Update June 25, 2020 - DiskTuna has recently recently released a tool capable of restoring a certain portion of audio/video files that are encrypted by ransomware infections from Djvu family. The tool takes file portions that are not encrypted and attempts to restore the file. However, certain data losses still remain, since the process is not the same as decryption. You can download the tool and find more details, as well as a user manual in DiskTuna's website.

Screenshot of DiskTuna's tool designed to restore audio/video files encrypted by Djvu ransomware variants:

DiskTuna Media_Repair tool designed to restore audio/video files encrypted by ransomware from Djvu family

Djvu ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Djvu virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Djvu ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Djvu ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Djvu are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Djvu, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Djvu ransomware.

Note that Windows 10 Fall Creators Update includes a "Controlled Folder Access" feature that blocks ransomware attempts to encrypt your files. By default, this feature automatically protects files stored in the Documents, Pictures, Videos, Music, Favorites as well as Desktop folders.

Controll Folder Access

Windows 10 users should install this update to protect their data from ransomware attacks. Here is more information on how to get this update and add an additional protection layer from ransomware infections.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Djvu ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Djvu virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Djvu virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.