{ "id": "e12eb448-7685-4a8c-a2a4-fdec30c34e59", "created_at": "2026-04-06T00:16:31.514318Z", "updated_at": "2026-04-10T03:21:29.068059Z", "deleted_at": null, "sha1_hash": "e839d78c024f6d12281a093a09c7521444ecb0af", "title": "Djvu Ransomware Spreading New .TRO Variant Through Cracks \u0026 Adware Bundles", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 938981, "plain_text": "Djvu Ransomware Spreading New .TRO Variant Through Cracks \u0026\r\nAdware Bundles\r\nBy Lawrence Abrams\r\nPublished: 2019-01-16 · Archived: 2026-04-05 19:11:18 UTC\r\nIn December 2018, a new ransomware called Djvu, which could be a variant of STOP,  was released that has been heavily\r\npromoted through crack downloads and adware bundles. Originally, this ransomware would append a variation of the .djvu\r\nstring as an extension to encrypted files, but a recent variant has switched to the .tro extension.\r\nWhen first released, it was not known how the ransomware was being distributed and a sample of the main installer could\r\nnot be found. When discussing the infection with the numerous victims who reported it in our forums and elsewhere, a\r\ncommon theme was noted; most of the victims stated that they became infected after downloading a software crack.\r\nThis campaign has been very successful, with ID-Ransomware reporting numerous victims submitting files to their system\r\non a daily basis.\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nID-Ransomware Submissions\r\nThe good news is that it may be possible to receive help in recovering your files for free. If you are infected with STOP\r\nRansomware (.djvu, .tro, or .rumba), please see this post about using Michael Gillespie's decryptor.\r\nIf that fails to help, then please register an account and post the following information in a new reply to our dedicated STOP\r\nRansomware Support \u0026 Help topic:\r\nNetwork card's MAC address. This can be gotten from using the command getmac /v. If you are not sure which\r\nMAC address to use, feel free to copy the entire output.\r\nA link to two encrypted files. You can use the Wetransfer service for this.\r\nYour personal ID from the ransom note.\r\nAfter you submit this information, we will try and help you, but please be patient..\r\nIf you have any questions or need help, feel free to ask here or in our dedicated STOP Ransomware Support and Help topic.\r\nHow the Djvu Ransomware encrypts a computer\r\nCertain cracks and adware bundles are installing this ransomware onto victim's computers. When these cracks are installed,\r\nthe main installer will be installed as %LocalAppData%\\[guid]\\[random].exe and executed. This program is the main\r\nransomware component and will first download the following files to the same folder:\r\n%LocalAppData%\\[guid]\\1.exe\r\n%LocalAppData%\\[guid]\\2.exe\r\n%LocalAppData%\\[guid]\\3.exe\r\n%LocalAppData%\\[guid]\\updatewin.exe\r\nWhen executed, 1.exe will execute various commands that remove the definitions for Windows Defender and disable\r\nvarious functionality. This executable will also execute a PowerShell script called Script.ps1, which disabled Windows\r\nDefender's real-time monitoring using this command:\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\nThe ransomware will then execute 2.exe, which adds numerous security sites and download sites to the Windows HOSTS\r\nfile so that victims are unable to connect to them for help. BleepingComputer is one of the sites added to the HOSTS file as\r\nshown below.\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 3 of 8\n\nHOSTS File\r\nA file called 3.exe will then be executed, which we have not been able to find a sample of, so are unsure as to what it does.\r\nDuring this process, the ransomware will generate a unique ID for the machine, which according to Michael Gillespie is a\r\nMD5 of the system's MAC address, and connect to it's Command \u0026 Control server at the\r\nurl http://morgem[.]ru/test/get.php?pid=[machine_id]. The server would then reply back with the encryption key that should\r\nbe used to encrypt a victim's files.\r\nIf you are using sflow, netflow, or sniffing traffic on your network then it may be possible to recover your encryption key\r\nwhen the C2 server sends it to the victim's computer.\r\nThe ransomware will now begin to encrypt the files on the computer and at the same time execute the updatewin.exe.\r\nUpdatewin.exe will display a fake Windows Update screen in order distract the user while their files are being encrypted and\r\nto make it seem normal that disk activity has increased.\r\nFake Windows Update\r\nDuring encryption, the ransomware will encrypt almost all files on the computer, including executables. When encrypting\r\nfiles, the older variant would append a variant of the string .djvu to the encrypted file's name. For example, test.jpg would\r\nbe encrypted and then renamed to test.djvu, test.djvus, or test.djvut.\r\nNewer variants are instead appending the .tro extension to encrypted file's names as shown by the image below.\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 4 of 8\n\nEncrypted TRO Files\r\nFinally, the ransomware will create a scheduled task named \"Time Trigger Task\". This task will launch the ransom at\r\nvarious intervals in order to encrypt any new files that are created.\r\nScheduled Task\r\nWhile encrypting files, it will drop ransom notes named _openme.txt in each folder that files are encrypted. This ransom\r\nnote will contain information regarding what happened to the victim's files and two email addresses that they should contact\r\nin order to receive payment instructions.\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 5 of 8\n\nDjvu Ransom Note\r\nAs previously stated, if you are infected with this ransomware, then it may be possible to recover your files for free. To\r\nrequest help, please see the instructions at the beginning of this article.\r\nIOCs\r\nHashes:\r\nMain installer: 5d294a14a491dc4e08593b2f6cdcaace1e894c449b05b4132b9ba5c005848c58\r\n1.exe: 6966599b3a7786f81a960f012d540866ada63a1fef5be6d775946a47f6983cb7\r\n2.exe: 91a1122ed7497815e96fdbb70ea31b381b5243e2b7d81750bf6f6c5ca12d3cee\r\nupdatewin.exe: 74949570d849338b3476ab699af78d89a5afa94c4529596cc0f68e4675a53c37\r\nAssociated Files:\r\n%LocalAppData%\\[guid]\\[random_numbers]tmp.exe\r\n%LocalAppData%\\[guid]\\1.exe\r\n%LocalAppData%\\[guid]\\2.exe\r\n%LocalAppData%\\[guid]\\3.exe\r\n%LocalAppData%\\[guid]\\updatewin.exe\r\nC:\\Windows\\System32\\Tasks\\Time Trigger Task\r\nAssociated Registry Entries:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SysHelper\r\nAssociated Email Addresses:\r\nrestoredjvu@india.com\r\nrestoredjvu@firemail.cc\r\nhelpshadow@india.com\r\nhelpshadow@firemail.cc\r\npdfhelp@india.com\r\npdfhelp@firemail.cc\r\nNetwork Traffic:\r\napi.2ip.ua\r\nmorgem.ru\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 6 of 8\n\nRansom Note Text:\r\n---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ---------------------------------------------\r\nDon't worry, you can return all your files!\r\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees do we give to you?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can download video overview decrypt tool:\r\nhttps://www.sendspace.com/file/1sg7f3\r\nDon't try to use third-party decrypt tools because it will destroy your files.\r\nDiscount 50% available if you contact us first 72 hours.\r\n--------------------------------------------------------------------------------------------------------------------------\r\nTo get this software you need write on our e-mail:\r\npdfhelp@india.com\r\nReserve e-mail address to contact us:\r\npdfhelp@firemail.cc\r\nYour personal ID:\r\n[id]\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 7 of 8\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nhttps://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" ], "report_names": [ "djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles" ], "threat_actors": [], "ts_created_at": 1775434591, "ts_updated_at": 1775791289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e839d78c024f6d12281a093a09c7521444ecb0af.pdf", "text": "https://archive.orkl.eu/e839d78c024f6d12281a093a09c7521444ecb0af.txt", "img": "https://archive.orkl.eu/e839d78c024f6d12281a093a09c7521444ecb0af.jpg" } }