Fake ransomware decryption tool double-encrypts user files
STOP Djvu decryptor encrypts a ransomware victim’s files with more ransomware
Security experts have warned about a fake ransomware decryption tool has double-encrypts user files.
Bleeping Computer reports that the creators of Zorab ransomware released a fake STOP Djvu decryptor, which encrypts a ransomware victim’s files with a second ransomware.
When someone opens the fake decryptor tool, it extracts crab.exe, an executable file that is the Zorab ransomware. It then encrypts all files with a .ZRB extension. According to Brett Callow, threat analyst with Emsisoft, STOP accounts for about half of all fake decryptor downloads.
“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that,” said Callow.
“Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”
Several tech companies have launched legitimate tools that decrypt files infected by ransomware. For example, Emsisoft’s free tool allows victims to recover files encrypted by Tycoon ransomware, while Telefónica’s free tool recovers data encrypted by VCryptor ransomware.
“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source,” warned Callow. “Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”
Unlocking collaboration: Making software work better together
How to improve collaboration and agility with the right tech

Six things a developer should know about Postgres
Why enterprises are choosing PostgreSQL

The path to CX excellence for B2B services
The four stages to thrive in the experience economy
