Did your files suddenly all turn into Derp type and now all the programs refuse to open them? Despite the funny name, this ransomware is very serious, powerful, and possibly devastating. It’s a new incarnation of Djvu and it can result in all the broken files being lost completely if you don’t have a backup of your data.
Derp File Locker quicklinks
- How Derp gets installed
- How to deal with Derp
- Important -- edit the hosts file to unblock security websites
- Find and edit the hosts file
- Download and run the antivirus program
- Automatic Malware removal tools
- How to recover Derp File Locker encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Derp File Locker encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
This ransomware is characterized by the Derp file type, by the fact that you can’t open the locked files, and by all the _readme.txt files everywhere. The email addresses are cheekily called [email protected] and [email protected], as if you were required to buy software to restore your files – the files that these same extortionists broke.
The breaking of the files is not permanent in theory. The people behind Derp have the decryption keys for each user, but fixing the files without those keys is hopeless. Still, you shouldn’t pay the ransom because Derp’s creators can’t be trusted. They’re more likely to take your money and ignore you, or send you their horrible tool and leave you without any support. There’s a reason why so many ransom payers end up losing some data anyway.
Derp exists alongside Coot, Nols, Leto, and many other Djvu file lockers that still spread and continue to claim new victims every day.
Derp features and problems description:
| Type of threat |
|
|---|---|
| File locker symptoms |
|
| Derp distribution |
|
| Derp file locker solution |
|
How Derp gets installed
Not to blame the victims, but it’s good to know how Derp infects most computers so that you can avoid that happening again in the future. Djvu has possibly claimed the files of hundreds of thousands of users, so its makers know how to spread their malware.
Most likely, Derp infects software pirates. Those who want to activate expensive commercial software for free by using cracks and key generators are targeted by spreading fake or infected versions of these tools. Even trusted people might sell out and start spreading Derp. Every time you download a file from a pirating site, it’s important to scan it. It’s also possible that Derp was downloaded without any intentional pirating: for example, it could have infected a free program or file that was uploaded on an unofficial download site. Eve PDF files can be infected. It’s not hopeless – Derp or its downloader could possibly have been discovered by scanning each download with an antivirus program, but even then, while Derp is new, not all security programs will recognize it. Try to stick to trusted sources of files, take precautions like making a backup before you do anything risky. It’s worth it to be careful because a virus like Derp can be very harmful.
Other, not-Djvu, ransomware can spread thanks to malicious ads and drive-by downloads, infected files being mailed with generic and urgent-sounding emails (something like “your invoice”), or downloaded by malicious links that can be distributed is social media (usually it’s shortened links). Serious businesses and organizations are targeted manually, usually infected through their remote desktop access.
Derp targets individuals, many of which don’t have sophisticated security solutions and can’t afford to lose their files. Over a hundred thousand people have been infected by this family of ransomware, many lost their files. But even rudimentary protection can go a long way in helping you avoid harm. But once Derp has infected your computer, it’s useless to dwell on what could have been and time to focus on the situation at hand.
How to deal with Derp
Avoid using the infected computer unnecessarily and, if that’s not too much trouble, consider connecting the device to another computer as a slave, where the infected drive is viewed from another computer. That way, no malware will be able to run and affect the files on the computer.
You can unblock the websites that Derp blocked (the instructions are in the next section) and download a reputable antivirus program to remove all the malware, including Derp and the spyware component. You can also do that later, as getting rid of the file-locker doesn’t unblock the websites.
When it comes to recovering the lost data, if you have a backup of your files, you can just use them to replace the corrupted “.derp” files. But if you didn’t have backups, the situation is more complicated and a lot less certain:
- If you hope to decrypt the files later, you might want to create a backup of your data by imaging the computer, or you can just take care to save the locked files so that they don’t get deleted. Also, if you wish to decrypt those files, it’s important to not make any edits to them. The “.derp” files are not dangerous – they’re affected by the ransomware, but they’re not infected.
- Emsisoft has released a general decrypter for Djvu-locked files, however, it won’t work without your decryption keys. If the researchers find the offline key, there’s a chance some of your data will be recovered, but that’s about it.
- Specialists might be able to recover some content of very big files, like video or audio, but it’s complicated, hard work, and some data is still lost.
Alternatively, if you didn’t lose anything important, it’s fine to just delete the .derp files and start from scratch.
Either way, you probably want to change your passwords. Some victims of other Djvu ransomware versions noticed that their online accounts were hacked, at worst, your crypto-wallet could be robbed. At least, make sure that you have 2-step verification everywhere. The criminals behind Derp will steal some money if they get a chance.
Important -- edit the hosts file to unblock security websites
TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.Find and edit the hosts file
The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.- In the Start Menu, search for Control Panel.
- In the Control Panel, find Appearance and Personalization.
- Select Folder Options.
- Open the View tab.
- Open Advanced settings.
- Select "Show hidden files...".
- Select OK.
- Open the Start Menu and enter "notepad".
- When Notepad shows up in the result, right-click on it.
- In the menu, choose "Run as administrator"
- File->Open and browse for the hosts file.
Delete additional lines that they connect various domain names to the wrong IP address. Save the file.
Download and run the antivirus program
After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to recover Derp File Locker encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Derp has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Derp File Locker
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Derp. You can check other tools here.Step 3. Restore Derp File Locker affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Derp tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Derp File Locker encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.
