Fake ransomware decryption tool double-encrypts user files
STOP Djvu decryptor encrypts a ransomware victim’s files with more ransomware
Security experts have warned about a fake ransomware decryption tool has double-encrypts user files.
Bleeping Computer reports that the creators of Zorab ransomware released a fake STOP Djvu decryptor, which encrypts a ransomware victim’s files with a second ransomware.
When someone opens the fake decryptor tool, it extracts crab.exe, an executable file that is the Zorab ransomware. It then encrypts all files with a .ZRB extension. According to Brett Callow, threat analyst with Emsisoft, STOP accounts for about half of all fake decryptor downloads.
“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that,” said Callow.
“Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”
Several tech companies have launched legitimate tools that decrypt files infected by ransomware. For example, Emsisoft’s free tool allows victims to recover files encrypted by Tycoon ransomware, while Telefónica’s free tool recovers data encrypted by VCryptor ransomware.
“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source,” warned Callow. “Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”
2021 Thales access management index: Global edition
The challenges of trusted access in a cloud-first world
Free download
Building a cloud-native, hybrid-multi cloud infrastructure
Get ready for hybrid-multi cloud databases, AI, and machine learning workloads
Free downloadThe next biggest shopping destination is the cloud
Know why retail businesses must move to the cloud
Free Download
