Fake ransomware decryption tool double-encrypts user files

Security experts have warned about a fake ransomware decryption tool has double-encrypts user files. 

Bleeping Computer reports that the creators of Zorab ransomware released a fake STOP Djvu decryptor, which encrypts a ransomware victim’s files with a second ransomware.

When someone opens the fake decryptor tool, it extracts crab.exe, an executable file that is the Zorab ransomware. It then encrypts all files with a .ZRB extension. According to Brett Callow, threat analyst with Emsisoft, STOP accounts for about half of all fake decryptor downloads.

“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that,” said Callow.

“Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”

Several tech companies have launched legitimate tools that decrypt files infected by ransomware. For example, Emsisoft’s free tool allows victims to recover files encrypted by Tycoon ransomware, while Telefónica’s free tool recovers data encrypted by VCryptor ransomware.

“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source,” warned Callow. “Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”