Irjg ransomware virus is the file-locking infection that marks data using particular .irjg appendix once files get encrypted

Irjg ransomware is a form of cryptovirus that focuses on file locking, so cryptocurrency payments can be demanded from the victim directly. That is done via ransom note file _readme.txt that appears on the desktop and in folders when encryption procedures are complete.[1] The infection starts when the pirated file or software gets downloaded. Viruses can quickly go through the stored files and find data fitting to get encrypted.
Even though there are some additional processes that virus triggers it starts with encryption. To make the victim clueless, ransomware delivers the particularly deceiving Windows update window on the screen to mask the file locking procedure. The person can’t know what happens and what causes all the issues with the speed and performance.
These are the first steps of the infection, but once the Irjg virus achieves the goal of locking possibly valuable data, the threat can leave the machine and place the ransom note with all the instructions. In most cases, virus developers are the ones that create the code, but there are additional people who deploy this infection around and ensure that payments are demanded. This family is requiring $490/$980 in Bitcoin and the sooner victims contact these people via email the lower the price is. However, after the 72-hour mark, the price gets to $980 and cannot be lowered. Payment transfer instructions get listed in the ransom message, but this is not the best solution.
It is possible that decryption tools will get developed after the release of this threat, but it takes a long time. People would like to use the machine right away and recover the needed functions as soon as possible. It is not safe when the virus is still active. We can only suggest storing some of the malicious files, encoded data on separate storage like a USB key, and wait for the improvements. Meantime, you can remove the infection, repair functions, and replace affected files using data backups yourself.
| Name | Irjg virus |
|---|---|
| Type | Ransomware, file-locker |
| Family | Djvu/ STOP ransomware |
| File marker | .irjg is the appendix appearing on every locked file indicating which data got altered |
| Distribution | Cracked software, game cheats, other pieces downloaded from the pirating, torrent platforms |
| Ransom note | _readme.txt |
| Contact email | manager@mailtemp.ch, supporthelp@airmail.cc |
| Amount demanded | $980, but criminals offer the discount to $490 in the first 72 hours |
| Removal | The best option for ransomware is to remove the infection using anti-malware tools. Such software can find malicious files and terminate the processes |
| System repair | Proper recovery of the machine includes repairing the file damage and clearing virus leftovers. System optimization like FortectIntego can help with such issues |
A deeper look into the ransomware
Irjg is the name of a file-locking virus variant that belongs to an ever-growing family called Djvu ransomware. The group of threats is known to be distributed for years now. Each week is coming with a new version released into the wild. It encrypts files, appends .irjg extension onto their filenames, and creates a ransom note file with instructions on the payment.
This ransomware is a specific kind of malware that encrypts your documents and then forces you to pay for them. Since the family is known for a while contacting these people is not recommended. Paying is also not an option. Djvu/STOP ransomware family was first revealed and discovered by virus analysts in 2018, but since then many advanced techniques got employed.
This new Irjg ransomware has many similarities with other DJVU based viruses like Tisc or Rigd, Nqsq in terms of how they work on files. Once these cryptocurrency extortion-based threats get successfully executed, the malware creates many processes to force the persistence.
The note informs victims that they cannot decrypt files without the right decryption software and key, which cost $490 or $980 depending on how fast victims will contact them. The first 72 hours should give the 50% discount. However, paying criminals is dangerous. You should remove the infection, repair as many files as you can ignore any additional messages from criminals.

More detailed payment information is provided after writing an email to manager@mailtemp.ch, or supporthelp@airmail.cc. Before paying a ransom/purchasing tools for unlocking encrypted data, victims can send one file in exchange- not more than 1MB -to get it back decrypted. This is the false tactic created to fake trust between the Irjg virus victim and virus creators.
Anti-malware tools are the best for such infections because software like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes can scan the computer and locate possibly malicious files, data related to the infection. Termination takes minutes and the detection rate[2] shows that threats like this ransomware can be removed with AV-detection applications.
However, when the system gets infected with malware, its system is changed to operate differently. The infection can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by Irjg file virus, antivirus software is not capable of doing anything about it, leaving it just the way it is.
It is highly recommended by various experts[3] that using a one-of-a-kind, patented technology of FortectIntego can solve these performance issues. Not only can it fix virus damage after the infection, but it is also capable of removing malware that has already broken into the system thanks to several engines used by the program. Besides, the application is also capable of fixing various Windows-related issues that are not caused by malware infections, for example, Blue Screen errors, freezes, registry errors, damaged DLLs, etc.
- Download the application by clicking on the link above
- Click on the ReimageRepair.exe

- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

What can be done without paying?
If the Irjg ransomware uses an offline key that’s shared by all users – encryption can be possible. The algorithm produces this unique code before encrypting files. However, this is the method used years before. Not the proper connection is helpful between the virus and the C&C server, so each victim gets the unique ID needed for the decryption of the data. Making this version non-decryptable.
If criminals don’t have an Internet connection during the encryption process, the malware will try using offline mode which means both victims should have the same keys. This helps with the existing decryption tool from Emsisoft. But this is the rare occasion not occurring for these past years. You should try using Emsisoft decryptor for Djvu/STOP even when you do not know exactly.
Even if your case meets this condition, however, somebody from the Irjg virus victims has to pay criminals, retrieve an offline key, and then share it with security researchers at Emsisoft. As a result, you might not be able to restore the encrypted files immediately. Thus, if the decryptor says your data was locked with an offline ID but cannot be recovered currently, you should try later. You also need to upload a set of files – one encrypted and a healthy one to the company’s servers before you proceed.
- Download the app from the official Emsisoft website.

- After pressing Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe should show up – click it.

- If User Account Control (UAC) message shows up, press Yes.
- Agree to License Terms by pressing Yes.
- After Disclaimer shows up, press OK.
- The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.

- Press Decrypt.
Additional tips for ransomware victims
There are several universal methods for decrypting encrypted files and removing the threat, despite the decryption keys. Make sure you read each instruction carefully before starting (skip any steps at your own risk). If you want to have your files safe, make sure to clear the infection before doing anything else. Otherwise, you might risk getting data encrypted when you recover files with the backups.
Ransomware can be active and triggered processes can still run for a while damaging the machine and performance. However, you can remove the Irjg ransomware and any other programs related to this virus, so the system can be recovered and used again. Any active intruders may trigger another round of file locking or different processes.

However, make sure that removing the threat is not the same as decryption of encoded files. Even when the SpyHunterCombo Cleaner or MalwarebytesMalwarebytes get used to terminate the infection, malware elimination does not equal virus decryption or file recovery. Of course, this is a really serious concern for victims so we list a few alternatives below for the decryption tools.
The Irjg virus termination can be difficult, so we also include some tips for the removal process when using AV tools since those get disabled or blocked by the infection. Do not forget to double-check before running any data backups, file recovery software, and run the tool like FortectIntego to repair features and programs of the computer.
Was this guide helpful?
Be the first to comment