How to delete Efji ransomware

Efji ransomware is yet another member of the Djvu/STOP ransomware family. It’s currently the newest version among the more than two hundred already released ransomware infections from this group. Adds the .efji extension to encrypted files and drops the _readme.txt ransom note.


Efji ransomware ransom note

Efji ransomware is file-encrypting malware that comes from the Djvu/STOP ransomware family. This gang is behind more than two hundreds ransomware versions, including Mmpa, Foqe, and Moss. It encrypts files and then demands that victims pay for their decryption. Once files are encrypted, users will not be able to open them unless they first decrypt them with a special decryption tool, which the Djvu ransomware gang will try to sell victims. The decryptor costs $980, or $490 if contact is made within the first 72 hours. However, paying the ransom is never recommended because there are no guarantees that a decryptor would be sent. Countless users in the past have lost their money and were left with encrypted files.

Unfortunately, currently backup is the only free way to recover files. Emsisoft has released a free decryptor for many older Djvu versions, but it does not work for ransomware that uses online keys to encrypt files. Unfortunately, Efji is among the new versions, which means decryption with the free decryptor will not work. All hope is not lost, and if law enforcement or the cyber crooks themselves ever release the online keys, a decryptor could be developed by malware researchers. So if users have no other options, they can back up the encrypted files and wait for a free decryptor to be released.

It should be mentioned that there are many fake decryptors advertised on the Internet, particularly for Djvu versions. If a legitimate decryptor was to be developed, it would come from Emsisoft, NoMoreRansom, anti-virus vendors or malware researchers. If they, or BleepingComputer have not announced that a decryptor is available, it is not available.

For users who have backup, file decryption should not cause any problems, provided they first delete Efji ransomware from the computer. If the ransomware is still present when users connect to their backup, those files may become encrypted as well.

Ways ransomware infects a computer

When ransomware enters a computer, it’s usually because users have bad browsing habits and pirate content. Developing better habits can go a long way towards avoiding all kinds of malware.

One of the most common ways ransomware can enter a computer is spam email attachments. If users open an attached malicious file, the malware would initiate. Distributing malware via email is not particularly difficult, which is likely why it’s so widely used. Cyber criminals purchase email addresses from hacker forums and launch malicious spam email campaigns using them. For the most part, malicious emails are pretty noticeable. They are sent from nonsense email addresses, contain loads of spelling and grammar mistakes and generally do not seem legitimate. Overall, opening unsolicited email attachments is not recommended, at least until users are sure they are safe. Scanning an attached file with anti-virus or VirusTotal before opening it is a good idea.

Pirating entertainment content via torrents is also a good way to pick up ransomware. Torrent sites are often unregulated, which cyber criminals take full advantage of. They could disguise their malware as torrents for movies, TV shows, games, software, etc. When users download what they think is a popular movie, they end up initiating malware. Thus, users are highly discouraged from pirating, as it not only is stealing, it’s also dangerous for the computer.

What does Efji ransomware do?

When this ransomware is encrypting files, it shows a fake Windows Update window that says “Installing important updates Windows”. Once file encryption is complete, all encrypted files will have .efji added to them, hence why this ransomware is known as Efji ransomware. For example, image.jpg would become image.jpg.efji. A ransom note _readme.txt will also be dropped in all folders containing encrypted files.

The ransom note is identical to the ones dropped by other versions from this family. It explains that files have been encrypted and can only be decrypted with their decryptor. That is, at this current moment, unfortunately true. The crooks behind this ransomware do offer to decrypt one file for free if does not contain any important information. But to fully decrypt files, victims are asked to pay $980. If they make contact within the first 72 hours, the price would drop to $490. However, paying the ransom is not recommended because cyber crooks won’t necessarily send a decryptor. It happens often enough that users should be warned. Furthermore, users are encouraging cyber crooks to continue by paying, as it makes ransomware profitable.

Here is the full Efji ransomware ransom note:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Ransomware is one of the most important reasons why backing up files regularly is so important. Users who have backup can proceed to file recovery as soon as they remove Efji ransomware from their computers.

How to delete Efji ransomware

Efji ransomware removal should only be done with anti-malware software. It’s a complicated infection and users might end up doing even more damage by trying to remove it manually. Unfortunately, removing the ransomware does not restore files. Files can only be decrypted with a specific decryptor.

Efji ransomware is detected as:

  • HEUR:Trojan.Win32.Bsymem.gen by Kaspersky
  • A Variant Of Win32/Kryptik.HGUS by ESET
  • Trojan.GenericKDZ.70771 (B) by Emsisoft
  • Trojan.GenericKDZ.70771 by BitDefender
  • Trojan.MalPack.GS by Malwarebytes
  • Ransom:Win32/STOP.BS!MTB by Microsoft
  • Packed.Generic.525 by Symantec