This is a full-length guide about the 259th variant of STOP/DJVU malware, named IISS ransomware. It contains instructions on how to remove this virus, as well as include further tips on repairing the computer system and explain chances to decrypt files for free.

_readme.txt note explained

IISS ransomware is exclusively designed to extort inattentive computer users by locking their files until a ransom is paid. Therefore, the virus creates notes across the computer system. After being infected, the computer user will notice these notes and open any of them. The note contains a message from the criminals, which first states that all files (documents, photos, videos, databases) have been encrypted. The criminals suggest purchasing special .iiss decryption key and software. To prove that it is “worth” paying the ransom, virus’ developers suggest sending one encrypted file to them, which they will decrypt and send back. The attackers warn that this test file should not contain any valuable information. Going further, _readme.txt note explains that the ransom price applied to the victim will be lower if one rushes to contact the attackers and pay within 72 hours. This will guarantee $490 price in Bitcoin. Otherwise, the price bounces back to “full” amount, $980. Finally, the note provides two contact emails and victim’s personal ID.

Why you shouldn’t pay the ransom

First and foremost, we would like to clearly state that cybersecurity experts, including us, are against paying the criminals what they ask. First, this helps to fund further virtual crime operations, and second, this does not guarantee file recovery at all. You are dealing with people who are okay with destroying people’s data all over the world, therefore it would be naive to expect that they will fulfill their part of agreement once the money is received. Even if they do, paying the criminals is wrong because you will definitely be identified as a potential victim to attack in the future. Even FBI advises against ransom payments, and if you are a resident of USA, this can result in penalty for doing so. There are still chances to recover your files, but only if offline key was used. You can use instructions in this guide on how to recover or repair encrypted .iiss files, or use instructions below this article.

How virus modified your files: understand better

Ransomware is basically a malicious computer program that uses symmetric or asymmetric encryption algorithms to “secure” files on victim’s computer so that no one could access them, except ones having the decryption key (in this case, it is criminals). While they cannot access your files remotely, they offer you to purchase this key so you can decrypt .iiss files and restore your files. The encryption was created with intention to secure information in a way so that only the parties having the decryption key could access it. It is mainly used to secure military-grade secrets. The encryption can be single or multi-layered, such as mixtures of AES and RSA. We recommend you to refrain from paying the criminals as it obviously isn’t a good solution. Instead, you should first read about possibilities to recover your files. The most important thing to do now is to remove IISS virus from the system using a reliable malware removal tool. For virus damage repair caused for your Windows system, run RESTORO.

Ransomware delivery system

Variants of STOP/DJVU malware such as IISS ransomware, EFJI or others are commonly found in illegal downloads. It is the most popular and well-known distribution method used to transmit the malware to users’ computers. The criminals disguise the malware as software cracks, keygens, or other license activation tools such as KMSPico. The victims report finding the ransomware in Adobe and gaming software cracks mainly. These downloads are typically proliferated via torrent-sharing domains and can be received via programs like uTorrent or eMule. We’d like to say that you should never opt for illegal downloads and head to software vendors’ websites if you want to get a secure and legitimate licenses. Needless to say, a legitimate software license for premium version is always cheaper than the ransom that cybercriminals ask, so it is never worth the risk. In order to avoid ransomware, you should also be careful when opening emails that you did not expect to receive. Especially avoid letters from well-known companies such as DHL or TNT reporting about a shipment you didn’t order. Criminals tend to pretend they’re representing such companies, but they send a malware payload in a form of attachment that looks like a DOC or PDF file. They also tend to compose messages that urge you to view the attached document, for instance, a missing/pending payment or invoice. Stay away from such emails and links or files attached to them, even if the sender’s email looks legitimate. There are ways to spoof the email address to make it look like it is coming from a legitimate sender. For more ways to protect against ransomware, read this guide.

Remove IISS ransomware virus securely

To secure your computer system, remove IISS ransomware virus along with other malware using a reliable malware removal software. We strongly recommend following the instructions provided down below. To repair virus damage, you can download and run RESTORO, a well-known PC repair tool. After successful IISS virus removal, do not forget to change all your passwords for websites saved in your browser. This must be done as an extra security step because STOP/DJVU ransomware variants tend to install password-stealers on the systems. Now, follow the removal instructions provided below. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove IISS ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove IISS ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt IISS files

Fix and open large IISS files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. IISS ransomware virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt IISS files, follow the given tutorial.

Meanings of decryptor’s messages

The IISS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your IISS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of IISS ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.