Fake Ransomware Decryptor Encrypts Victim Files

A fake decryptor, allegedly aimed at the STOP Djvu Ransomware is making the rounds on the internet, distributed through lures of free decryption for desperate people. People get infected with another ransomware that makes things even more complicated instead of having their files decrypted.

The STOP Djvu ransomware has been very prolific, with more infections than Maze, REvil, Netwalker, and DoppelPaymer. While the others were getting more media spotlight time due to their high profile victims, STOP has been infecting more people than all of them together.

This Week in Malware Ep 10: STOP & Zorab Ransomware Exploits Victims w/Fake Decryptor

With more than 600 submissions to the ID-Ransomware identification service, the STOP ransomware is one of the most widely distributed ransomware threats in 2019. Emsisoft released a decryptor for older variants of the STOP Djvu ransomware, but its new encryptions have so far been unbeaten by security companies.

The lack of focus on solving the problem has been mostly because the ransomware affects home users who infect their devices via adware bundles masquerading as software cracks. Many of the affected users are unable to pay a $500 ransom for a decryptor, and with double encryption of an already existing problem, it seems the threat actors behind this current trend are after causing maximum damage.

Zorab Ransomware Double Encrypts Data

A new ransomware called Zorab is making the rounds on the internet. The creators of the Zorab ransomware released a fake STOP Djvu decryptor that encrypts the victim's files even further, instead of decrypting them. When desperate users decide to use it and enter their personal information in the fake decryptor, clicking on 'Start Scan' gives them a nasty surprise. The program extracts the cab.exe executable and saves it to the %Temp% folder. Crab.exe is a ransomware called Zorab, one that encrypts data on the infected device. When the files undergo the process, they are appended with the .ZRB extension.

The ransomware may also create a ransom note called '—DECRYPT—ZORAB.txt.ZRB' in each affected folder with encrypted files present. The note has instructions within on contacting the ransomware operators and instructions regarding payment. The ransomware is currently undergoing analysis, so users are advised to avoid making any payments until their files can be recovered for free.