This cruel ‘ransomware decryptor’ only makes things worse

Phoney ransomware decryptor doubly encrypts users’ files

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have identified a fakeransomwaredecryptor circulating online that only serves to add to victims’ problems.

The phoney decryptor preys on users infected with the pervasive STOP Djvu ransomware which, unlike the most famous ransomware variants, primarily targets individuals as opposed to businesses.

According to researchers atMalwareHunterTeam, installing and running the fake STOP Djvu encryptor subjects the victim to a second ransomware attack.

The second ransomware, called Zorab, infects the user’s device and doubly encrypts their files, rubbing salt into the existing wound.

Fake ransomware decryptor

STOP Djvu is among the most prolific ransomware strains in circulation, infecting a greater number of victims than the infamous Maze, Sodinokibi, Netwalker and DoppelPaymer ransomware combined.

Concealed within rigged software cracks, it infects over 600 users per day, making it the most widely distributed ransomware over the last 12 months.

Decryptors for older iterations of STOP Djvu have previously been made available online for free, which could have led victims to place greater trust in the fraudulent decryptor than they otherwise might.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Once installed and activated, the sham decryptor extracts a second executable, crab.exe, which installs the Zorab ransomware, further encrypts data and deposits a ransom note in each folder containing an encrypted file.

The ransom note demands the victim purchases a decryption tool from the ransomware operator and warns them against using third party software to address the infection.

However, security firm Emsisoft has now released afree Zorab decryptor, which victims can use to recover their files - although it won’t rid them of the original STOP Djvumalware.

ViaBleeping Computer

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)