• Djvu is a recent addition to the ransomware family, which was detected in December 2018 by security researcher Michael Gillespie.
  • Attackers are now spreading Djvu through software cracks and adware.

Djvu ransomware, which made news last month, is gaining a bad rep lately. It appears that cybercriminals are relying on software cracks and adware to proliferate this ransomware on Windows computers. Furthermore, a new variant has also been developed in the form of a .tro extension that is sneakily put into crack files. Prior to this, Djvu used .djvu extension for presenting encrypted files.

An online forum of Bleeping Computer was abuzz with users posting their attack instances by Djvu. In addition, some users submitted the ransomware files to ID-Ransomware, a website that detects ransomware types.

Encryption decoded

Various reports also provided insights on how Djvu would infect the victim’s computer through crack files. “When these cracks are installed, the main installer will be installed as %LocalAppData%\[guid]\[random].exe and executed,” Bleeping Computer reported.

Once this EXE program is executed, four additional files are downloaded. These files target various security aspects of the system such as disabling the antivirus functionality and displaying a fake Windows update screen.

This makes the user think that the update alert is genuine. Meanwhile, in the background, Djvu actually encrypts every file in the victim’s system to .tro extensions. Consequently, the ransomware creates a scheduled task known as ‘Time Trigger Task’ as one last measure so that newer files added to the system are encrypted.

While encrypting files, Djvu also creates ransom notes regularly, as and when file encryption stops. These ransom notes then warn the user and mention details such as ransom amount, payment options and attackers’ email addresses.

Experts believe that fixing the Djvu-infected systems in order to recover encrypted files can prove to quite challenging without paying any ransom.

Cyware Publisher