Ransomware detected

STOP/DJVU ransomware: Fix .locked files and remove malware

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 25, 2026

STOP/DJVU ransomware encrypts files with .locked extension and demands payment. Here's how to kill the infection and recover your data for free.

Cause #1: The ransomware is still running — kill it first

STOP/DJVU is sloppy. It often leaves its process running in the background. If you try to decrypt files while the malware is active, the decryptor will fail or the files will get re-encrypted. The culprit here is almost always a process called taskhost.exe or wscript.exe running from a temp folder. I've seen this on Windows 10 22H2 and Windows 11 23H2.

Real-world scenario: You opened a cracked software installer from a sketchy torrent site. Next thing, your Documents folder shows .locked files. The malware throws a ransom note named _readme.txt demanding $980 in Bitcoin.

Step 1: Boot into Safe Mode with Networking

Don't bother trying to kill it from normal Windows — it'll restart itself. Here's what works:

  1. Restart your PC and press F8 (or Shift + Restart from the login screen).
  2. Choose Safe Mode with Networking from the boot menu.
  3. Log in as Administrator. The ransomware won't load.

Step 2: Kill the malicious process

Open Task Manager (Ctrl+Shift+Esc). Look for these:

  • taskhost.exe running from C:\Users\[YourName]\AppData\Local\Temp
  • wscript.exe with high CPU usage
  • Any process with random characters in the name like gftrwe.exe

Right-click and End task. Then delete everything in %temp% — run cleanmgr or manually nuke the folder.

Step 3: Run a quick scan

Use Microsoft Defender or Malwarebytes. I prefer Malwarebytes for this — it catches the STOP variants that Defender misses. Run a full scan. Quarantine anything it finds.

Cause #2: Files are encrypted but the offline key is known

STOP/DJVU has two encryption modes: online (unique key per victim) and offline (hardcoded key). The offline key is the same for many victims — and researchers at Emsisoft have cracked it. If your ransom note says "You can get your key on our website" but you can't reach that site, you're probably offline.

How to check: Look at the ransom note file (_readme.txt). If it doesn't include a personal ID string like ID: 9kF3pZ, you're offline. The fix is the Emsisoft Decryptor for STOP DJVU.

Step 1: Download the decryptor

Go to Emsisoft's official tool. Ignore the fake scam sites — only download from Emsisoft or BleepingComputer. Save it to a USB drive.

Step 2: Run the decryptor

  1. Right-click the decryptor and Run as Administrator.
  2. Click Add folder and point to where your .locked files are (e.g., C:\Users\[Name]\Documents).
  3. Click Scan. The tool checks if the offline key works.
  4. If it says "Key found", click Decrypt.

Be patient. A folder with 50GB of encrypted files takes 20-30 minutes. Don't interrupt it. The tool renames .locked back to the original extension.

Cause #3: Online key variant — you need a shadow copy or backup

If the decryptor says "No key found", you're dealing with an online key variant. That's bad news — nobody has cracked it yet. The only fix is restoring from a backup or Windows Previous Versions (Volume Shadow Copy).

Important: STOP/DJVU deletes shadow copies using vssadmin.exe. But I've seen multiple cases where it fails on systems with UAC cranked up or on Windows 11 Pro. Worth a shot.

Step 1: Check Previous Versions

  1. Right-click the folder with .locked files (e.g., C:\Users\[Name]\Pictures).
  2. Select Properties > Previous Versions tab.
  3. If any versions are listed (like from yesterday or the day before), select one and click Restore.

I've recovered 80% of files this way for a client who had shadow copies enabled. Most people don't — that's why backups matter.

Step 2: Check your cloud or external backup

If you use OneDrive, Google Drive, or Dropbox, check their version history. OneDrive keeps 30 days of versions by default. Right-click the file in OneDrive web > Version history.

For external backups: plug in the drive, scan it with Malwarebytes first (ransomware can infect backup drives), then copy clean files back.

Step 3: Last resort — wait for a decryptor update

Emsisoft adds new offline keys every few weeks. Check their tool periodically. Also, upload a sample .locked file to ID Ransomware — it tells you the exact variant. Some variants get cracked later.

Quick-reference summary

Cause Fix Best for
Malware still running Safe Mode + Malwarebytes scan All cases — do this first
Offline key variant Emsisoft Decryptor for STOP DJVU Most .locked file victims
Online key variant Previous Versions or backup restore If decryptor fails

Don't pay the ransom. I've seen people pay $980 and get nothing. The fix is almost always free if you follow these steps. And please — back up your files to an external drive and keep it disconnected. This won't be the last ransomware you see.

Was this solution helpful?

STOP DJVU ransomware .locked file extension ransomware fix decrypt .locked files remove STOP malware ransomware removal guide STOP DJVU decryptor .locked virus free ransomware decryption ransomware recovery tool STOP DJVU variant .locked encryption fix ransomware cleanup malware removal Windows