The Stop/Djvu ransomware encrypts the first 153605 bytes (150 kB + 5 bytes) of files and adds 334 additional bytes at the end. While still in encrypted state, the audio data after byte 153605 can still be recovered.
This involves:
Computing the offset of the byte that is the first byte of a frame (example: bit depth 24 bit, stereo: frame size is 6 bytes; first usable byte in a WAVE file is at offset 44 + (25594 * 6) = 153608
End offset is <total number of bytes> - 334
This mode should be activated by providing the following application parameter:
The Stop/Djvu ransomware encrypts the first 153605 bytes (150 kB + 5 bytes) of files and adds 334 additional bytes at the end. While still in encrypted state, the audio data after byte 153605 can still be recovered.
This involves:
44 + (25594 * 6) = 153608
<total number of bytes> - 334
This mode should be activated by providing the following application parameter: