Fake ransomware decryption tool double-encrypts user files
STOP Djvu decryptor encrypts a ransomware victim’s files with more ransomware
Security experts have warned about a fake ransomware decryption tool has double-encrypts user files.
Bleeping Computer reports that the creators of Zorab ransomware released a fake STOP Djvu decryptor, which encrypts a ransomware victim’s files with a second ransomware.
When someone opens the fake decryptor tool, it extracts crab.exe, an executable file that is the Zorab ransomware. It then encrypts all files with a .ZRB extension. According to Brett Callow, threat analyst with Emsisoft, STOP accounts for about half of all fake decryptor downloads.
“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that,” said Callow.
“Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”
Several tech companies have launched legitimate tools that decrypt files infected by ransomware. For example, Emsisoft’s free tool allows victims to recover files encrypted by Tycoon ransomware, while Telefónica’s free tool recovers data encrypted by VCryptor ransomware.
“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source,” warned Callow. “Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”
Navigating the new normal: A fast guide to remote working
A smooth transition will support operations for years to comeDownload now
Leading the data race
The trends driving the future of data scienceDownload now
How to create 1:1 customer experiences at scale
Meet the technology capable of delivering the personalisation your customers craveDownload now
How to achieve daily SAP releases
Accelerate the pace of SAP change to support your digital strategyDownload now