It looks like the threat actors who run ransomware campaigns are constantly busy writing destructive coding and launching new viruses that the security industry has not come up with a completely actionable fix for. It’s really unfortunate that these people’s talent is streaming in the black hat direction, but the prospect of getting easy money, obviously, makes people wicked. One of today’s most notorious ransomware programs, Djvu ransomware, has got quite a history behind it. The original virus was launched in September 2013 and got taken down in June 2014. The currently active infection being analyzed in this post is in fact a successor, likely created by a different cybercriminal gang. The general operation of this malware is similar to that of the predecessor, but there is some contrast in place.
One of the differences is the warning screen displayed by Djvu ransomware. It’s no longer red and it’s more blatant as far as the hackers’ ego is concerned. Whereas the previous version would say “Your personal files are encrypted”, the latest one reads “Warning, we have encrypted your files with Djvu ransomware virus”. The “we” component probably testifies to the fraudsters’ being more ambitious and fearless, but let’s leave the con individuals profiling to psychologists. The technical workflow of the compromise starts with PC contamination, which tends to be powered by social engineering. One of the vectors involves fake emails titled “Payroll reports” that have a Microsoft Excel file attached to them. The corrupt files can also be camouflaged as ZIP archives with PDFs inside. Once clicked, the attachment drops the payload onto the computer.
The virus scans computer drives for a bunch of file extensions and the respective files, once found, will get encrypted using AES algorithm. It then comes up with a warning message that provides some details of what happened:
“Your important files (including those on the network disks, USB, etc): photos, videos, documents, etc. were encrypted with our Djvu ransomware virus. The only way to get your files back is to pay us. Otherwise, your files with be lost.”
The payment mentioned in the above message is supposed to be submitted in Bitcoins, with the amount being equivalent of about 500 USD. Each infected user gets a unique Bitcoin address assigned to them. Unless paid within three days, the ransom will increase. What the criminals essentially suggest is to buy decryption software that has the private crypto key at its disposal so that the hijacked files can be recovered. But this is extortion in its purest form therefore, instead of giving in to the bad guys, it’s strongly recommended to try several workarounds provided in the next part of this tutorial. Be advised removing Djvu ransomware is not going to fix the problem in the context of file recovery, but it’s mandatory as part of the overall operating system cleanup.