Djvu Ransomware Spreading

Djvu ransomware, which appears to be a variant of the STOP ransomware, continues to infect through cracked software downloads and adware bundles. It first appeared in December 2018, encrypting files with a .djvu extension, but now appears to be adding .tro to infected files. The ransomware removes Windows Defender definitions, disables Windows Defender real-time monitoring, and blocks access to security websites through the Windows HOSTS file. While the ransomware encrypts files, a fraudulent Windows Update window displays on screen to deter user suspicion that system slowdown is abnormal. Djvu also creates a scheduled task that launches the ransomware at various intervals to encrypt any newly created files. There is no way to recover the encryption key unless you were sniffing network traffic while the key was transmitted from the command-and-control server. Currently, the NJCCIC is not aware of any decryption tool available for this variant. For more details including IOCs, review BleepingComputer’s post, and for a list of ransomware mitigation strategies, please download our two-page guide here. If you are targeted by ransomware, please report the incident to your local police department and to the NJCCIC via the Cyber Incident Report Form on our website.

AlertNJCCICRansomware