Tohj ransomware is a file-encrypting malware, one of the more recent versions of the Djvu/STOP ransomware. It’s a very dangerous malware infection because it encrypts files and there’s currently no free Tohj ransomware decryptor available. Encrypted files will have .tohj added to them, and you will not be able to open them. The only people who have a decryptor are the cybercriminals operating this ransomware. They will try to sell the decryptor to victims for $980.


Towz ransomware note


As soon as the ransomware is initiated, it will start encrypting files. It mainly targets personal files, usually photos, videos, and documents. You will be able to recognize which files have been encrypted by the .tohj extension. Unfortunately, you will not be able to open files with this extension, unless you first use a decryptor on them. But acquiring the decryptor will not be so easy because only the malware operators have it. The process of buying it is explained in the _readme.txt ransom note that is dropped in all folders containing encrypted files. The ransom note is identical to all notes dropped by ransomware from this family, with only the contact email addresses being different.

Tohj ransomware files

The note explains that the Tohj ransomware decryptor costs $980. There’s supposedly a 50% discount for victims who contact the malware operators within the first 72 hours, though whether that is true is debatable. In general, paying the ransom is not recommended because there are no guarantees that they’ll send the decryptor. These are cyber criminals, and they have no obligation to help users, even if they pay. Many users in the past have paid but received nothing in return. So engaging with cybercriminals is always risky. Furthermore, if you paid, your money would go toward future criminal activities. And the only reason why ransomware is such a successful business is that victims pay the ransom.

Unfortunately for users who do not have a backup, there currently is no free Tohj ransomware decryptor available. Because ransomware versions from this family use online keys to encrypt files, it’s difficult for malware researchers to develop a decryptor. The keys are unique to each user, and unless those keys are released by cyber criminals, a decryptor is not very likely. It’s not impossible that those keys may be released eventually, either by the cybercriminals themselves or by law enforcement if they ever catch these malicious actors. It’s worth mentioning that if you can’t find a decryptor on a legitimate site like NoMoreRansom, you certainly won’t find it on a random forum.

If you have a backup, you can start recovering your files as soon as you remove Tohj ransomware from your computer. It’s strongly recommended to use a good anti-malware program because it’s a very complex infection and should be removed using a professional tool. If you don’t already have a habit of backing up your files, we recommend you start. This is the best way to fight ransomware.

How is ransomware distributed?

Ransomware, like most malware, is distributed via methods like email attachments, torrents, etc. Users with bad browsing habits are much more likely to infect their computers with malware because they engage in risky online behavior more often. Developing better habits is a good way to avoid malicious infections.

Email attachments are a favored method of malware distribution for cybercriminals. They buy email addresses from hacker forums and use them to launch malicious campaigns. When users open these malicious attachments, they infect their computers with malware. These malicious emails are quite obvious in most cases because cybercriminals put in very little work. First of all, they are full of grammar/spelling mistakes. Malicious senders usually pretend to be from legitimate companies so the mistakes are very obvious. You will rarely see any mistakes in legitimate emails because they would look unprofessional.

Another sign of a malicious email is generic words like “User”, “Member”, and “Customer” being used instead of your name in emails that are supposedly sent by companies whose services you use. Companies use customers’ names in emails because it makes the emails seem more personal. But since malicious actors usually do not have access to users’ personal information, they are forced to use generic words.

Some malicious emails can be much more sophisticated, particularly when they have personal information about their specific target. Such emails would address users by name, have no mistakes, and contain information that would make the email seem more credible. Therefore, it’s strongly recommended to scan all email attachments with anti-virus software or VirusTotal before opening them.

Torrents are also often used to distribute malware. Torrent sites are often poorly moderated, and this allows malicious actors to upload torrents with malware in them. This is fairly common so users using torrents have a high chance of infecting their computers. Torrents for entertainment content (movies, TV series, and video games) are the most likely to have malware in them. Thus, torrenting copyrighted content is not recommended. Not only because it’s essentially stealing but also because it’s dangerous for the computer.

Tohj ransomware removal

As always, users are recommended to use anti-virus software to remove Tohj ransomware. It’s quite a complex malware infection and should be left to a professional program. If you try to delete Tohj ransomware manually, you could accidentally cause additional damage to your device. Once the ransomware has been fully removed by the anti-virus, you can access your backup to start recovering files.

If you don’t have a backup, you can try Emsisoft’s free Djvu/STOP ransomware decryptor. It’s not very likely to work but it’s still worth a try. If it doesn’t work, your only option is to wait for the free Tohj ransomware decryptor to be released. If it does become available, it would be posted on NoMoreRansom.

Tohj ransomware is detected as:

  • Win32:CrypterX-gen [Trj] by Avast/AVG
  • Trojan.GenericKDZ.92692 by BitDefender
  • HEUR:Trojan.Win32.Packed.gen by Kaspersky
  • Trojan.MalPack.GS by Malwarebytes
  • Trojan:Win32/Redline.GTQ!MTB by Microsoft
  • Win32/Filecoder.STOP.A by ESET

Tohj ransomware detections

Quick Menu

Step 1. Delete Tohj ransomware using Safe Mode with Networking.

Remove Tohj ransomware from Windows 7/Windows Vista/Windows XP
  1. Click on Start and select Shutdown.
  2. Choose Restart and click OK. Windows 7 - restart
  3. Start tapping F8 when your PC starts loading.
  4. Under Advanced Boot Options, choose Safe Mode with Networking. Remove Tohj ransomware - boot options
  5. Open your browser and download the anti-malware utility.
  6. Use the utility to remove Tohj ransomware
Remove Tohj ransomware from Windows 8/Windows 10
  1. On the Windows login screen, press the Power button.
  2. Tap and hold Shift and select Restart. Windows 10 - restart
  3. Go to Troubleshoot → Advanced options → Start Settings.
  4. Choose Enable Safe Mode or Safe Mode with Networking under Startup Settings. Win 10 Boot Options
  5. Click Restart.
  6. Open your web browser and download the malware remover.
  7. Use the software to delete Tohj ransomware

Step 2. Restore Your Files using System Restore

Delete Tohj ransomware from Windows 7/Windows Vista/Windows XP
  1. Click Start and choose Shutdown.
  2. Select Restart and OK Windows 7 - restart
  3. When your PC starts loading, press F8 repeatedly to open Advanced Boot Options
  4. Choose Command Prompt from the list. Windows boot menu - command prompt
  5. Type in cd restore and tap Enter. Uninstall Tohj ransomware - command prompt restore
  6. Type in rstrui.exe and press Enter. Delete Tohj ransomware - command prompt restore execute
  7. Click Next in the new window and select the restore point prior to the infection. Tohj ransomware - restore point
  8. Click Next again and click Yes to begin the system restore. Tohj ransomware removal - restore message
Delete Tohj ransomware from Windows 8/Windows 10
  1. Click the Power button on the Windows login screen.
  2. Press and hold Shift and click Restart. Windows 10 - restart
  3. Choose Troubleshoot and go to Advanced options.
  4. Select Command Prompt and click Restart. Win 10 command prompt
  5. In Command Prompt, input cd restore and tap Enter. Uninstall Tohj ransomware - command prompt restore
  6. Type in rstrui.exe and tap Enter again. Delete Tohj ransomware - command prompt restore execute
  7. Click Next in the new System Restore window. Get rid of Tohj ransomware - restore init
  8. Choose the restore point prior to the infection. Tohj ransomware - restore point
  9. Click Next and then click Yes to restore your system. Tohj ransomware removal - restore message


More information about WiperSoft and Uninstall Instructions. Please review WiperSoft EULA and Privacy Policy. WiperSoft scanner is free. If it detects a malware, purchase its full version to remove it.

  • wipersoft

    WiperSoft Review Details WiperSoft ( is a security tool that provides real-time security from potential threats. Nowadays, many users tend to download free software from the Intern ...

  • mackeeper

    Is MacKeeper a virus? MacKeeper is not a virus, nor is it a scam. While there are various opinions about the program on the Internet, a lot of the people who so notoriously hate the program have neve ...

  • malwarebytes-logo2

    While the creators of MalwareBytes anti-malware have not been in this business for long time, they make up for it with their enthusiastic approach. Statistic from such websites like CNET shows that th ...


Site Disclaimer is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.

The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.

Leave a Reply